Debian Linux@9.0 Security Vulnerabilities and Issues — Page 79 of Debian Linux@9.0 CVE List

ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery.

5.3CVSS7.2AI score0.01104EPSS

CVE•added 2017/08/29 11:29 p.m.•51 views

CVE-2017-13760

In The Sleuth Kit (TSK) 4.4.2, fls hangs on a corrupt exfat image in tsk_img_read() in tsk/img/img_io.c in libtskimg.a.

5.5CVSS5.5AI score0.00273EPSS

CVE•added 2017/05/02 2:59 p.m.•51 views

CVE-2017-7483

Rxvt 2.7.10 is vulnerable to a denial of service attack by passing the value -2^31 inside a terminal escape code, which results in a non-invertible integer that eventually leads to a segfault due to an out of bounds read.

7.5CVSS7.2AI score0.00779EPSS

CVE•added 2017/12/03 7:29 a.m.•51 views

CVE-2017-8819

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the replay-cache protection mechanism is ineffective for v2 onion services, aka TROVE-2017-009. An attacker can send many INTRODUCE2 cells to trigger this issue.

7.5CVSS7.5AI score0.00546EPSS

CVE•added 2018/04/03 7:29 a.m.•51 views

CVE-2018-0493

remctld in remctl before 3.14, when an attacker is authorized to execute a command that uses the sudo option, has a use-after-free that leads to a daemon crash, memory corruption, or arbitrary command execution.

7.2CVSS7.1AI score0.01016EPSS

CVE•added 2018/03/13 1:29 a.m.•51 views

CVE-2018-1000098

Teluu PJSIP version 2.7.1 and earlier contains a Integer Overflow vulnerability in pjmedia SDP parsing that can result in Crash. This attack appear to be exploitable via Sending a specially crafted message. This vulnerability appears to have been fixed in 2.7.2.

7.5CVSS7.8AI score0.00704EPSS

CVE•added 2020/05/13 3:15 p.m.•51 views

CVE-2020-8020

A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb.

6.5CVSS6.3AI score0.0022EPSS

CVE•added 2020/05/19 3:15 p.m.•51 views

CVE-2020-8021

a Improper Access Control vulnerability in of Open Build Service allows remote attackers to read files of an OBS package where the sourceaccess/access is disabled This issue affects: Open Build Service versions prior to 2.10.5.

5.3CVSS5.3AI score0.00186EPSS

CVE•added 2019/11/13 8:15 p.m.•50 views

CVE-2010-4654

poppler before 0.16.3 has malformed commands that may cause corruption of the internal stack.

9.3CVSS7.8AI score0.00468EPSS

CVE•added 2019/11/13 10:15 p.m.•50 views

CVE-2010-4664

In ConsoleKit before 0.4.2, an intended security policy restriction bypass was found. This flaw allows an authenticated system user to escalate their privileges by initiating a remote VNC session.

8.8CVSS8.6AI score0.00197EPSS

CVE•added 2019/11/14 2:15 a.m.•50 views

CVE-2011-1488

A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent with...

5.5CVSS5.2AI score0.00153EPSS

CVE•added 2019/11/14 2:15 a.m.•50 views

CVE-2011-1489

A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages were logged when multiple rulesets were used and some output batches contained messages belonging to more than one ruleset. A local attacker could cause denial of the rsyslogd daemon service via a log message b...

5.5CVSS5.3AI score0.00153EPSS

CVE•added 2019/11/07 6:15 p.m.•50 views

CVE-2012-0049

OpenTTD before 1.1.5 contains a Denial of Service (slow read attack) that prevents users from joining the server.

4.3CVSS4.3AI score0.00622EPSS

CVE•added 2019/11/05 7:15 p.m.•50 views

CVE-2013-6275

Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php.

6.5CVSS6.4AI score0.01945EPSS

CVE•added 2019/12/11 3:15 p.m.•50 views

CVE-2013-7371

node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)

6.1CVSS6AI score0.01082EPSS

CVE•added 2019/11/21 3:15 p.m.•50 views

CVE-2014-1935

9base 1:6-6 and 1:6-7 insecurely creates temporary files which results in predictable filenames.

5.3CVSS5.2AI score0.0047EPSS

CVE•added 2018/04/13 3:29 p.m.•50 views

CVE-2017-0357

A heap-overflow flaw exists in the -tr loader of iucode-tool starting with v1.4 and before v2.1.1, potentially leading to SIGSEGV, or heap corruption.

9.8CVSS9.4AI score0.01689EPSS

CVE•added 2018/03/21 8:29 p.m.•50 views

CVE-2017-0916

Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution.

9.8CVSS8.8AI score0.01291EPSS

CVE•added 2017/12/27 5:8 p.m.•50 views

CVE-2017-17848

An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be sig...

7.5CVSS7.3AI score0.00872EPSS

CVE•added 2018/02/27 8:29 p.m.•50 views

CVE-2017-7671

There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This issue can cause the server to coredump.

7.5CVSS7.3AI score0.0427EPSS

CVE•added 2018/09/28 12:29 a.m.•50 views

CVE-2018-16587

In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.

6.5CVSS6.5AI score0.00509EPSS

CVE•added 2019/11/27 6:15 p.m.•49 views

CVE-2011-2187

xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication.

7.8CVSS7.4AI score0.00091EPSS

CVE•added 2019/11/22 3:15 p.m.•49 views

CVE-2015-7810

libbluray MountManager class has a time-of-check time-of-use (TOCTOU) race when expanding JAR files

4.7CVSS4.8AI score0.0011EPSS

CVE•added 2018/02/27 8:29 p.m.•49 views

CVE-2017-5660

There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.

8.6CVSS8.3AI score0.02584EPSS

CVE•added 2017/12/03 7:29 a.m.•49 views

CVE-2017-8821

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the ...

7.5CVSS7.2AI score0.01001EPSS

CVE•added 2021/12/28 1:15 a.m.•49 views

CVE-2021-45910

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer. The attacker has control over a part of the address that data is written to, control over the written data, and (to some exte...

7.8CVSS7.5AI score0.00161EPSS

CVE•added 2019/11/06 3:15 p.m.•48 views

CVE-2011-4625

simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages.

7.5CVSS7.4AI score0.00274EPSS

CVE•added 2019/11/12 5:15 p.m.•48 views

CVE-2012-1572

OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space

7.5CVSS7.3AI score0.00416EPSS

CVE•added 2019/11/22 3:15 p.m.•48 views

CVE-2015-5694

Designate does not enforce the DNS protocol limit concerning record set sizes

6.5CVSS6.4AI score0.0094EPSS

CVE•added 2018/04/12 4:29 p.m.•48 views

CVE-2018-10060

Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.

5.4CVSS5.4AI score0.00667EPSS

CVE•added 2020/01/28 5:15 p.m.•48 views

CVE-2020-8086

The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.

9.8CVSS9.1AI score0.0067EPSS

CVE•added 2021/04/06 8:15 a.m.•48 views

CVE-2021-30163

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

7.5CVSS7.3AI score0.00495EPSS

CVE•added 2019/11/07 11:15 p.m.•47 views

CVE-2007-6745

clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.

9.8CVSS9.4AI score0.00651EPSS

CVE•added 2019/11/19 4:15 p.m.•47 views

CVE-2012-0843

uzbl: Information disclosure via world-readable cookies storage file

5.5CVSS5.2AI score0.00146EPSS

CVE•added 2019/11/25 3:15 p.m.•47 views

CVE-2012-5644

libuser has information disclosure when moving user's home directory

5.5CVSS5.6AI score0.00066EPSS

CVE•added 2019/11/05 3:15 p.m.•47 views

CVE-2013-6461

Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits

6.5CVSS6.4AI score0.02046EPSS

CVE•added 2017/09/01 9:29 p.m.•47 views

CVE-2017-12874

The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.

7.5CVSS7.7AI score0.00282EPSS

CVE•added 2019/11/12 9:15 p.m.•46 views

CVE-2010-3299

The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.

6.5CVSS6.4AI score0.00224EPSS

CVE•added 2019/11/20 4:15 p.m.•46 views

CVE-2011-0529

Weborf before 0.12.5 is affected by a Denial of Service (DOS) due to malformed fields in HTTP.

7.5CVSS7.4AI score0.00447EPSS

CVE•added 2019/11/20 3:15 p.m.•46 views

CVE-2011-1028

The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smarty_internal_compile_private_special_variable.php file.

9.8CVSS9.7AI score0.00517EPSS

CVE•added 2020/03/10 5:15 p.m.•46 views

CVE-2012-1096

NetworkManager 0.9 and earlier allows local users to use other users' certificates or private keys when making a connection via the file path when adding a new connection.

5.5CVSS5.4AI score0.00352EPSS

CVE•added 2019/10/31 7:15 p.m.•46 views

CVE-2013-1910

yum does not properly handle bad metadata, which allows an attacker to cause a denial of service and possibly have other unspecified impact via a Trojan horse file in the metadata of a remote repository.

9.8CVSS9.2AI score0.00849EPSS

CVE•added 2019/12/03 2:15 p.m.•46 views

CVE-2013-2106

webauth before 4.6.1 has authentication credential disclosure

7.5CVSS7.5AI score0.00397EPSS

CVE•added 2020/07/06 2:15 p.m.•46 views

CVE-2020-15569

PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.

5.5CVSS5.6AI score0.002EPSS

CVE•added 2020/07/27 7:15 a.m.•46 views

CVE-2020-15954

KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.