6587 matches found
scponly -- local privilege escalation exploits
Max Vozeler reports: If ALL the following conditions are true, administrators using scponly-4.1 or older may be at risk of a local privilege escalation exploit: the chrooted setuid scponlyc binary is installed regular non-scponly users have interactive shell access to the box a user executable...
nbd-server -- buffer overflow vulnerability
Kurt Fitzner reports a buffer overflow vulnerability within nbd. This could potentially allow the execution of arbitrary code on the nbd server...
cvsbug -- race condition
Problem description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug1 is based on the send-pr1 utility, this problem does not exist in the version of...
urban -- stack overflow vulnerabilities
Several filename-related stack overflow bugs allow a local attacker to elevate its privileges to the games group, since urban is installed setgid games. Issue discovered and fixed by...
vim -- vulnerabilities in modeline handling: glob, expand
Georgi Guninski discovered a way to construct Vim modelines that execute arbitrary shell commands. The vulnerability can be exploited by including shell commands in modelines that call the glob or expand functions. An attacker could trick an user to read or edit a trojaned file with modelines...
fetchmail -- denial of service/crash from malicious POP3 server
In fetchmail 6.2.5.1, the remote code injection via POP3 UIDL was fixed, but a denial of service attack was introduced: Two possible NULL-pointer dereferences allow a malicious POP3 server to crash fetchmail by respondig with UID lines containing only the article number but no UID in violation of...
axel -- remote buffer overflow
A Debian Security Advisory reports: Ulf Härnhammar from the Debian Security Audit Project discovered a buffer overflow in axel, a light download accelerator. When reading remote input the program did not check if a part of the input can overflow a buffer and maybe trigger the execution of arbitra...
f2c -- insecure temporary files
Javier Fernández-Sanguino Peña reports two temporary file vulnerability within f2c. The vulnerabilities are caused due to weak temporary file handling. An attacker could create an symbolic link, causing a local user running f2c to overwrite the symlinked file. This could give the attacker elevate...
tnftp -- mget does not check for directory escapes
When downloading a batch of files from an FTP server the mget command does not check for directory escapes. A specially crafted file on the FTP server could then potentially overwrite an existing file of the user...
fd_set -- bitmap index overflow in multiple applications
3APA3A reports: If programmer fails to check socket number before using select or fdset macros, it's possible to overwrite memory behind fdset structure. Very few select based application actually check FDSETSIZE value. ... Depending on vulnerable application it's possible to overwrite portions o...
up-imapproxy -- multiple vulnerabilities
Timo Sirainen reports: There are various bugs in up-imapproxy which can crash it. Since up-imapproxy runs in a single process with each connection handled in a separate thread, any crash kills all the connections and stops listening for new ones. In 64bit systems it might be possible to make it...
nss -- exploitable buffer overflow in SSLv2 protocol handler
ISS X-Force reports that a remotely exploitable buffer overflow exists in the Netscape Security Services NSS library's implementation of SSLv2. From their advisory: The NSS library contains a flaw in SSLv2 record parsing that may lead to remote compromise. When parsing the first record in an SSLv...
cacti -- SQL injection
Fernando Quintero reports that Cacti 0.8.5a suffers from a SQL injection attack where an attacker can change the password for any Cacti user. This attack is not possible if the PHP option magicquotesgpc is set to On, which is the default for PHP in FreeBSD...
Buffer overflows in libmcrypt
libmcrypt does incomplete input validation, leading to several buffer overflows. Additionally, a memory leak is present. Both of these problems may be exploited in a denial-of-service attack...
seti@home remotely exploitable buffer overflow
The seti@home client contains a buffer overflow in the HTTP response handler. A malicious, spoofed seti@home server can exploit this buffer overflow to cause remote code execution on the client. Exploit programs are widely available...
leafnode denial-of-service triggered by article request
The leafnode NNTP server may go into an unterminated loop with 100% CPU use when an article is requested by Message-ID that has been crossposted to several news groups when one of the group names is the prefix of another group name that the article was cross-posted to. Found by Jan Knutar...
pine remotely exploitable buffer overflow in newmail.c
Kris Kennaway reports a remotely exploitable buffer overflow in newmail.c. Mike Silbersack submitted the fix...
MySQL -- Multiple vulnerabilities
Oracle reports: See linked CVE's for details...
Jinja2 -- Sandbox breakout through attr filter selecting format method
[email protected] reports: Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 16 security fixes: 374627491 High CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21 379652406 High CVE-2025-0435: Inappropriate implementation in Navigation. Reported by Alesandro Ortiz on 2024-11-18 382786791 High...
Emacs -- Shell injection vulnerability
Problem Description: An Emacs user who chooses to invoke elisp-completion-at-point for code completion on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. This unsafe expansion also occurs if a user chooses to enable...
chromium -- multiple security fixes
Chrome Releases reports: This update includes 12 security fixes: 373263969 High CVE-2024-11110: Inappropriate implementation in Blink. Reported by Vsevolod Kokorin Slonser of Solidlab on 2024-10-14 360520331 Medium CVE-2024-11111: Inappropriate implementation in Autofill. Reported by Narendra...
electron32 -- multiple vulnerabilities
Electron developers report: This update fixes the following vulnerabilities: Security: backported fix for CVE-2024-7966. Security: backported fix for CVE-2024-9370...
Unbound -- Denial of service attack
NLnet labs report: A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to...
FreeBSD -- bhyve(8) privileged guest escape via TPM device passthrough
Problem Description: bhyve can be configured to provide access to the host's TPM device, where it passes the communication through an emulated device provided to the guest. This may be performed on the command-line by starting bhyve with the -l tpm,passthru,/dev/tpmX parameters. The MMIO handler...
frr - BGP
[email protected] reports: An issue was discovered in FRRouting FRR. bgpattrencap in bgpd/bgpattr.c does not check the actual remaining stream length before taking the TLV value...
sqlite -- use-after-free bug in jsonparseaddnodearray
[email protected] reports: A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading t...
phpmyfaq -- multiple vulnerabilities
phpmyfaq developers report: XSS Insufficient session expiration...
GLPI vulnerable to unauthenticated access to Dashboard data
[email protected] reports: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this...
Gitlab -- Vulnerability
Gitlab reports: Smuggling code changes via merge requests with refs/replace...
rxvt-unicode is vulnerable to a remote code execution
Marc Lehmann reports: The biggest issue is resolving CVE-2022-4170, which allows command execution inside urxvt from within the terminal that means anything that can output text in the terminal can start commands in the context of the urxvt process, even remotely...
varnish -- HTTP/2 Request Forgery Vulnerability
Varnish Cache Project reports: A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server t...
powerdns-recursor -- denial of service
PowerDNS Team reports: PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation...
py-nicotine-plus -- Denial of service vulnerability
ztauras reports: Denial of service DoS vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character...
wayland -- integer overflow
Tobias Stoeckmann reports: The libXcursor fix for CVE-2013-2003 has never been imported into wayland, leaving it vulnerable to it...
drupal7 -- fix possible CSS
Drupal Security team reports: Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend...
LibreSSL -- use-after-free
OpenBSD reports: A TLS client using session resumption may cause a use-after-free...
phpldapadmin -- XSS vulnerability
[email protected] reports: An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via getrequest in lib/function.php...
asterisk -- Remote crash in res_pjsip_session
The Asterisk project reports: Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it...
jupyter notebook -- open redirect vulnerability
Jupyter reports: 6.1.5 is a security release, fixing one vulnerability: Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh CVE to be assigned...
powerdns -- Various issues in GSS-TSIG support
PowerDNS developers report: A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature. A remote, unauthenticated attacker can cause a denial of service by sending crafted queries...
phpmyadmin -- multiple vulnerabilities
the phpmyadmin team reports: This security fix is part of an ongoing effort to improve the security of the Designer feature and is designated PMASA-2019-5. There is also an improvement for how we sanitize git version information shown on the home page...
FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat
Problem Description: System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. Impact: A local user can use this flaw to obtain access...
py-matrix-synapse -- multiple vulnerabilities
Matrix developers report: The matrix team releases Synapse 1.2.1 as a critical security update. It contains patches relating to redactions and event federation: Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. Prevent a denial-of-service...
FreeBSD -- iconv buffer overflow
Problem Description: With certain inputs, iconv may write beyond the end of the output buffer. Impact: Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library...
znc -- privilege escalation
Mitre reports: Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name...
msmtp -- certificate-verification issue
msmtp developers report: In msmtp 1.8.2, when tlstrustfile has its default configuration, certificate-verification results are not properly checked...
Helm -- client unpacking chart that contains malicious content
Helm security notice A specially crafted chart may be able to unpack content into locations on the filesystem outside of the chart's path, potentially overwriting existing files...
Plex Media Server -- Information Disclosure Vulnerability
Chris reports: The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing XXE attack. Unauthenticated attackers on the same LAN can use this vulnerability to: Access arbitrary files from the filesystem with the same permission as the...
wesnoth -- Code Injection vulnerability
shadowm reports: A severe bug was found in the game client which could allow a malicious user to execute arbitrary code through the Lua engine by using specially-crafted code in add-ons, saves, replays, or networked games. This issue affects all platforms and all existing releases since Wesnoth...