6530 matches found
powerdns -- multiple vulnerabilities
PowerDNS Team reports: CVE-2019-10162: An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit whe...
PostgreSQL -- Stack-based buffer overflow via setting a password
The PostgreSQL project reports: An authenticated user could create a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could be further exploited to execute arbitrary code as the PostgreSQL...
Mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2019-11708: sandbox escape using Prompt:Open Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When...
Mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2019-11707: Type confusion in Array.pop A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. CVE-2019-11708...
FreeBSD -- Resource exhaustion in non-default RACK TCP stack
Problem Description: While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a...
expat2 -- Fix extraction of namespace prefixes from XML names
expat project reports: XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks...
mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2019-11707: Type confusion in Array.pop A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw...
GraphicsMagick -- multiple vulnerabilities
GraphicsMagick News: Read "Security Fixes:" section for details...
znc -- privilege escalation
Mitre reports: Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name...
asterisk -- Remote crash vulnerability with MESSAGE messages
The Asterisk project reports: A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash...
Mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2019-11703: Heap buffer overflow in icalparser.c A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parsergetnextchar when processing certain email messages, resulting in a potentially exploitable crash. CVE-2019-11704: Heap buffer...
Flash Player -- arbitrary code execution
Adobe reports: This update resolves a use-after-free vulnerability that could lead to arbitrary code execution CVE-2019-7845...
mybb -- vulnerabilities
mybb Team reports: High risk: Theme import stylesheet name RCE High risk: Nested video MyCode persistent XSS Medium risk: Find Orphaned Attachments reflected XSS Medium risk: Post edit reflected XSS Medium risk: Private Messaging folders SQL injection Low risk: Potential phar deserialization...
phpMyAdmin -- CSRF vulnerability in login form
The phpMyAdmin development team reports: Summary CSRF vulnerability in login form Description A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmi...
Django -- AdminURLFieldWidget XSS
Django security releases issued: The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickabl...
Gitlab -- Multiple Vulnerabilities
Gitlab reports: Remote Command Execution Vulnerability on Repository Download Feature Confidential Issue Titles Revealed to Restricted Users on Unsubscribe Disclosure of Milestone Metadata through the Search API Private Project Discovery via Comment Links Metadata of Confidential Issues Disclosed...
ntp -- Multiple vulnerabilities
nwtime.org reports: Three ntp vulnerabilities, Depending on configuration, may have little impact up to termination of the ntpd process. NTP Bug 3610: Processcontrol should exit earlier on short packets. On systems that override the default and enable ntpdc mode 7 fuzz testing detected that a sho...
bro -- Unsafe integer conversions can cause unintentional code paths to be executed
Jon Siwek of Corelight reports: The following Denial of Service vulnerabilities are addressed: Integer type mismatches in BinPAC-generated parser code and Bro analyzer code may allow for crafted packet data to cause unintentional code paths in the analysis logic to be taken due to unsafe integer...
Exim -- RCE in deliver_message() function
Exim team and Qualys report: We received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit. A patch exists already, is being tested, and backported to all versions we released since and including 4.87. The severity depends on your configuration...
Vim/NeoVim -- Security vulnerability
Security releases for Vim/NeoVim: Sandbox escape allows for arbitrary code execution...
curl -- multiple vulnerabilities
curl security problems: CVE-2019-5435: Integer overflows in curlurlset libcurl contains two integer overflows in the curlurlset function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32 bit architectures and require...
mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS CVE-2019-9816: Type confusion with object groups and UnboxedObjects CVE-2019-9817: Stealing of cross-domain images using canvas CVE-2019-9818: Use-after-free in crash generation server...
vlc -- Double free in Matroska demuxer
The VLC project reports: mkv: Fix potential double free...
Payara -- A Polymorphic Typing issue in FasterXML jackson-databind
Payara Releases reports: The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases: CVE-2019-12086 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9...
FreeBSD -- Microarchitectural Data Sampling (MDS)
Problem Description: On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. Impact: An attacker may be able to read secret data from the kernel or from a process when executing...
Flash Player -- arbitrary code execution
Adobe reports: This update resolves a use-after-free vulnerability that could lead to arbitrary code execution CVE-2019-7837...
FreeBSD -- ICMP/ICMP6 packet filter bypass in pf
Problem Description: States in pf4 let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf4 does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. Impact: A maliciously crafted...
FreeBSD -- IPv6 fragment reassembly panic in pf(4)
Problem Description: A bug in the pf4 IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. Impact: Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filterin...
samba -- multiple vulnerabilities
The samba project reports: The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target client principal Authenticated users with write permission can trigger a symlink traversal to writ...
Rust -- violation of Rust's safety guarantees
Sean McArthur reports: The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the Error::typeid method is overridden then any type can be safely cast to any other typ...
sqlite3 -- use after free
MITRE reports: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigg...
PostgreSQL -- Memory disclosure in partition routing
The PostgreSQL project reports: Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes of server memory by executing a purpose-crafted INSERT statement to a partitioned table...
chromium -- use after free
Google Chrome Releases reports: 961413 High CVE-2019-5842: Use-after-free in Blink. Reported by BUGFENSE Anonymous Bug Bounties https://bugfense.io on 2019-05-09...
PostgreSQL -- Selectivity estimators bypass row security policies
The PostgreSQL project reports: PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user able to execute SQL queries with permissions to read a given column could craft a leaky operato...
drupal -- Drupal core - Moderately critical
Drupal Security Team reports: CVE-2019-11831: By-passing protection of Phar Stream Wrapper Interceptor. In order to intercept file invocations like fileexists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream...
buildbot -- OAuth Authentication Vulnerability
Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user. The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios. If an attacker h...
serendipity -- XSS
MITRE: Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/mediachoose.tpl Editor Preview feature or the templates/2k11/admin/mediaitems.tpl Media Library feature...
Gitlab -- Information Disclosure
Gitlab reports: Information Disclosure with Limited Scope Token...
Gitlab -- Multiple vulnerabilities
Gitlab reports: Moving an Issue to Private Repo Leaks Project Namespace Notification Emails Sent to Restricted Users Unauthorized Comments on Confidential Issues Merge Request Approval Count Inflation Unsanitized Branch Names on New Merge Request Notification Emails Improper Sanitation of...
mediawiki -- multiple vulnerabilities
Mediawiki reports: Security fixes: T197279, CVE-2019-12468: Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover. T204729, CVE-2019-12473: Passing invalid titles to the API could cause a DoS by querying the entire watchlist...
gitea -- multiple vulnerabilities
Gitea Team reports: This release contains two new security fixes which cannot be backported to the 1.7.0 branch, so it is recommended to update to this version...
www/varnish7 -- Denial of Service
The Varnish Development Team reports: A denial of service attack can be performed on Varnish Cacher servers that have the HTTP/2 protocol turned on. An attacker can let the servers HTTP/2 connection control flow window run out of credits indefinitely and prevent progress in the processing of...
cyrus-imapd -- buffer overrun in httpd
Cyrus IMAP 3.0.10 Release Notes states: Fixed CVE-2019-11356: buffer overrun in httpd...
FreeBSD -- EAP-pwd message reassembly issue with unexpected fragment
Problem Description: EAP-pwd implementation in hostapd EAP server and wpasupplicant EAP peer does not to validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to NULL pointer dereference. See...
drupal -- Drupal core - Moderately critical
Drupal Security Team reports: CVE-2019-10909: Escape validation messages in the PHP templating engine. CVE-2019-10910: Check service IDs are valid. CVE-2019-10911: Add a separator in the remember me cookie hash. jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extendtrue...
MySQL -- multiple vulnerabilities
Oracle reports: Critical Patch Update Oracle MySQL Executive Summary This Critical Patch Update contains 44 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...
gitea -- remote code execution
The Gitea team reports: Prevent remote code execution vulnerability with mirror repo URL settings...
Dovecot -- improper input validation
Aki Tuomi reports: Vulnerability Details: IMAP and ManageSieve protocol parsers do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Risk: This vulnerability allows for out-of-bounds writes to objects stored on the heap up to 8096 byte...
FreeBSD -- EAP-pwd missing commit validation
Problem Description: EAP-pwd implementation in hostapd EAP server and wpasupplicant EAP peer does not to validate the received scalar and element values in EAP-pwd-Commit messages properly. This could result in attacks that would be able to complete EAP-pwd authentication exchange without the...
FreeBSD -- SAE confirm missing state validation
Problem Description: When hostapd is used to operate an access point with SAE Simultaneous Authentication of Equals; also known as WPA3-Personal, an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm messag...