6585 matches found
ZendFramework1 -- SQL injection vulnerability
Zend Framework developers report: The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection...
wordpress -- multiple vulnerabilities
Samuel Sidler reports: WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags...
moodle -- multiple vulnerabilities
Moodle Release Notes report: MSA-15-0030: Students can re-attempt answering questions in the lesson CVE-2015-5264 MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of CVE-2015-5272 - 2.7.10 only MSA-15-0032: Users can delete files uploaded by other...
h2o -- directory traversal vulnerability
Yakuzo reports: H2O up to version 1.4.4 / 1.5.0-beta1 contains a flaw in its URL normalization logic. When file.dir directive is used, this flaw allows a remote attacker to retrieve arbitrary files that exist outside the directory specified by the directive. H2O version 1.4.5 and version...
pitivi -- code execution
Luke Farone reports: Double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi...
shutter -- arbitrary code execution
Luke Farone reports: In the "Shutter" screenshot application, I discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter...
Bugzilla security issues
Bugzilla Security Advisory Login names usually an email address longer than 127 characters are silently truncated in MySQL which could cause the domain name of the email address to be corrupted. An attacker could use this vulnerability to create an account with an email address different from the...
plone -- multiple vulnerabilities
Plone.org reports: Versions Affected: All current Plone versions. Versions Not Affected: None. Nature of vulnerability: Allows creation of members by anonymous users on sites that have self-registration enabled, allowing bypass of CAPTCHA and similar protections against scripted attacks. The patc...
qemu -- denial of service vulnerability in IDE disk/CD/DVD-ROM emulation
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the IDE disk and CD/DVD-ROM emulation support is vulnerable to a divide by zero issue. It could occur while executing an IDE command WINREADNATIVEMAX to determine the maximum size of a drive. A privileged user insid...
openldap -- denial of service vulnerability
Denis Andzakovic reports: By sending a crafted packet, an attacker may cause the OpenLDAP server to reach an assert9 9 statement, crashing the daemon...
phpMyAdmin -- reCaptcha bypass
The phpMyAdmin development team reports: This vulnerability allows to complete the reCaptcha test and subsequently perform a brute force attack to guess user credentials without having to complete further reCaptcha tests. We consider this vulnerability to be non critical since reCaptcha is an...
Joomla! -- Core - XSS Vulnerability
The JSST and the Joomla! Security Center report: 20150908 - Core - XSS Vulnerability Inadequate escaping leads to XSS vulnerability in login module...
ffmpeg -- multiple vulnerabilities
NVD reports: The decodeihdrchunk function in libavcodec/pngdec.c in FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR aka image header chunk in a PNG image, which allows remote attackers to cause a denial of service out-of-bounds array access or possibly have unspecified other impact vi...
qemu -- denial of service vulnerability in e1000 NIC support
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing transmit descriptor data when sending a network packet. A privileged user inside guest could use this flaw to...
ganglia-webfrontend -- auth bypass
Ivan Novikov reports: It's easy to bypass auth by using boolean serialization...
pgbouncer -- failed auth_query lookup leads to connection as auth_user
PgBouncer reports: New authuser functionality introduced in 1.6 allows login as authuser when client presents unknown username. It's quite likely authuser is superuser. Affects only setups that have enabled authuser in their config...
php -- multiple vulnerabilities
PHP reports: Core: Fixed bug 70172 Use After Free Vulnerability in unserialize. Fixed bug 70219 Use after free vulnerability in session deserializer. EXIF: Fixed bug 70385 Buffer over-read in exifreaddata with TIFF IFD tag byte value of 32 bytes. hash: Fixed bug 70312 HAVAL gives wrong hashes in...
powerdns -- denial of service
PowerDNS reports: A bug was found in our DNS packet parsing/generation code, which, when exploited, can cause individual threads disabling service or whole processes allowing a supervisor to restart them to crash with just one or a few query packets...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 29 security fixes in this release, including: 516377 High CVE-2015-1291: Cross-origin bypass in DOM. Credit to anonymous. 522791 High CVE-2015-1292: Cross-origin bypass in ServiceWorker. Credit to Mariusz Mlynski. 524074 High CVE-2015-1293: Cross-origin bypass in...
devel/ipython -- multiple vulnerabilities
Matthias Bussonnier reports: Summary: Local folder name was used in HTML templates without escaping, allowing XSS in said pages by carefully crafting folder name and URL to access it. URI with issues: GET /tree/ Benjamin RK reports: Vulnerability: A maliciously forged file opened for editing can...
gdk-pixbuf2 -- integer overflows
Matthias Clasen reports: Fix several integer overflows...
freeimage -- multiple integer overflows
Pcheng pcheng reports: An integer overflow issue in the FreeImage project was reported and fixed recently...
mozilla -- multiple vulnerabilities
The Mozilla Project reports: MFSA 2015-95 Add-on notification bypass through data URLs MFSA 2015-94 Use-after-free when resizing canvas element during restyling...
FreeBSD -- Local privilege escalation in IRET handler
Problem Description: If the kernel-mode IRET instruction generates an SS or NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler. Impact: By causi...
tarsnap -- buffer overflow and local DoS
Colin Percival reports: 1. SECURITY FIX: When constructing paths of objects being archived, a buffer could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte paths. Theoretically this could be exploited by an unprivileged user whose files are being archived; I do not believe it is...
pcre -- heap overflow vulnerability
Guanxing Wen reports: PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compileregex. The Heap Overflow vulnerability is caused by the followi...
codeigniter -- SQL injection vulnerability
The CodeIgniter changelog reports: Security: Fixed an SQL injection vulnerability in Active Record method offset...
OpenSSH -- PermitRootLogin may allow password connections with 'without-password'
OpenSSH 7.0 contained a logic error in PermitRootLogin= prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication. This problem was reported by Mantas Mikulenas...
vlc -- arbitrary pointer dereference vulnerability
oCERT reports: The stable VLC version suffers from an arbitrary pointer dereference vulnerability. The vulnerability affects the 3GP file format parser, insufficient restrictions on a writable buffer can be exploited to execute arbitrary code via the heap memory. A specific 3GP file can be crafte...
bind -- denial of service vulnerability
ISC reports: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately...
drupal -- multiple vulnerabilities
Drupal development team reports: This security advisory fixes multiple vulnerabilities. See below for a list. Cross-site Scripting - Ajax system - Drupal 7 A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax on a whitelisted HTML...
bind -- denial of service vulnerability
ISC reports: An incorrect boundary check in openpgpkey61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query...
FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parser
Problem Description: Multiple integer overflows have been discovered in the XMLGetBuffer function in the expat library. Impact: The integer overflows may be exploited by using specifically crafted XML data and lead to infinite loop, or a heap buffer overflow, which results in a Denial of Service...
django -- multiple vulnerabilities
Tim Graham reports: Denial-of-service possibility in logout view by filling session store Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout view provided it wasn't decorated with django.contrib.auth.decorators.loginrequired as done in the admin...
qemu -- buffer overflow vulnerability in VNC
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the VNC display driver support is vulnerable to a buffer overflow flaw leading to a heap memory corruption issue. It could occur while refreshing the server display surface via routine vncrefreshserversurface. A...
jasper -- multiple vulnerabilities
Martin Prpic reports: A double free flaw was found in the way JasPer's jasperimagestopload function parsed certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. Feist Josselin reports: A new use-after-free was found in Jasper JPEG-200. The...
openjpeg -- use-after-free vulnerability
Feist Josselin reports: Use-after-free was found in openjpeg. The vuln is fixed in version 2.1.1 and was located in opjj2kwritemco function...
unreal -- denial of service
Unreal reports: Summary: If SASL support is enabled in UnrealIRCd this is not the default and is also enabled in your services package then a malicious user with a services account can cause UnrealIRCd to crash...
RT -- two XSS vulnerabilities
Best Practical reports: RT 4.0.0 and above are vulnerable to a cross-site scripting XSS attack via the user and group rights management pages. This vulnerability is assigned CVE-2015-5475. It was discovered and reported by Marcin Kopec at Data Reliance Shared Service Center. RT 4.2.0 and above ar...
pear-twig -- remote code execution
Fabien Potencier reports: End users can craft valid Twig code that allows them to execute arbitrary code RCEs via the self variable, which is always available, even in sandboxed templates...
wireshark -- multiple vulnerabilities
Wireshark development team reports: The following vulnerabilities have been fixed. wnpa-sec-2015-21 Protocol tree crash. Bug 11309 wnpa-sec-2015-22 Memory manager crash. Bug 11373 wnpa-sec-2015-23 Dissector table crash. Bug 11381 wnpa-sec-2015-24 ZigBee crash. Bug 11389 wnpa-sec-2015-25 GSM RLC/M...
mbedTLS/PolarSSL -- multiple vulnerabilities
ARM Limited reports: In order to strengthen the minimum requirements for connections and to protect against the Logjam attack, the minimum size of Diffie-Hellman parameters accepted by the client has been increased to 1024 bits. In addition the default size for the Diffie-Hellman parameters on th...
OpenSSH -- PAM vulnerabilities
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev. Fixed a privilege separation weakness related to PAM support. Attackers who could...
mozilla -- multiple vulnerabilities
The Mozilla Project reports: MFSA 2015-79 Miscellaneous memory safety hazards rv:40.0 / rv:38.2 MFSA 2015-80 Out-of-bounds read with malformed MP3 file MFSA 2015-81 Use-after-free in MediaStream playback MFSA 2015-82 Redefinition of non-configurable JavaScript object properties MFSA 2015-83...
Adobe Flash Player -- critical vulnerabilities
Adobe reports: Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. These updates resolve type confusion vulnerabilities that could lead to code execution...
libvpx -- multiple buffer overflows
The Mozilla Project reports: Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in...
mediawiki -- multiple vulnerabilities
MediaWiki reports: Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList. Internal review discovered that...
vorbis-tools, opus-tools -- multiple vulnerabilities
Paris Zoumpouloglou reports: I discovered an integer overflow issue in oggenc, related to the number of channels in the input WAV file. The issue triggers an out-of-bounds memory access which causes oggenc to crash. Paris Zoumpouloglou reports: A crafted WAV file with number of channels set to 0...
libpgf -- use-after-free
Pengsu Cheng reports: An use-after-free issue in Decoder.cpp was reported to upstream. The problem is due to lack of validation of ColorTableSize...
screen -- stack overflow
Kuang-che Wu reports: screen will recursively call MScrollV to depth n/256. This is time consuming and will overflow stack if n is huge...