Lucene search

K
SuseSuse Linux Enterprise Server12

46 matches found

CVE
CVE
added 2018/11/07 5:29 a.m.2265 views

CVE-2018-19052

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target fil...

7.5CVSS7.3AI score0.42596EPSS
CVE
CVE
added 2015/05/21 12:59 a.m.1130 views

CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then ...

4.3CVSS4.8AI score0.94027EPSS
CVE
CVE
added 2018/01/04 1:29 p.m.1018 views

CVE-2017-5753

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

5.6CVSS6.1AI score0.94332EPSS
CVE
CVE
added 2016/05/05 6:59 p.m.488 views

CVE-2016-3714

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

10CVSS8AI score0.93863EPSS
CVE
CVE
added 2020/01/09 10:15 p.m.337 views

CVE-2020-5504

In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

8.8CVSS8.6AI score0.19756EPSS
CVE
CVE
added 2020/07/29 6:15 p.m.318 views

CVE-2020-15707

Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extrem...

6.4CVSS7.6AI score0.00033EPSS
CVE
CVE
added 2020/07/29 6:15 p.m.285 views

CVE-2020-15706

GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 ...

6.4CVSS7.7AI score0.00064EPSS
CVE
CVE
added 2020/07/29 6:15 p.m.284 views

CVE-2020-15705

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. Thi...

6.4CVSS7.1AI score0.00018EPSS
CVE
CVE
added 2020/03/23 4:15 p.m.266 views

CVE-2020-6429

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8CVSS8.8AI score0.02916EPSS
CVE
CVE
added 2020/03/23 4:15 p.m.265 views

CVE-2020-6422

Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8CVSS8.8AI score0.02877EPSS
CVE
CVE
added 2020/03/23 4:15 p.m.262 views

CVE-2020-6426

Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.5CVSS6.8AI score0.01082EPSS
CVE
CVE
added 2016/02/18 9:59 p.m.255 views

CVE-2015-7547

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a...

8.1CVSS8.4AI score0.93421EPSS
CVE
CVE
added 2017/07/21 2:29 p.m.213 views

CVE-2015-5300

The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to an arbitrary time when started with the -g option, or to alter the time by up to 900 seconds otherw...

7.5CVSS7.6AI score0.17786EPSS
CVE
CVE
added 2018/11/28 5:29 p.m.211 views

CVE-2018-12116

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to mad...

7.5CVSS7.5AI score0.00707EPSS
CVE
CVE
added 2018/11/28 5:29 p.m.191 views

CVE-2018-12122

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.

7.5CVSS7.3AI score0.03833EPSS
CVE
CVE
added 2020/03/23 4:15 p.m.190 views

CVE-2020-6427

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8CVSS8.8AI score0.02916EPSS
CVE
CVE
added 2020/03/23 4:15 p.m.181 views

CVE-2020-6428

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8CVSS8.8AI score0.02916EPSS
CVE
CVE
added 2020/03/23 4:15 p.m.178 views

CVE-2020-6424

Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8CVSS8.8AI score0.0261EPSS
CVE
CVE
added 2017/01/30 9:59 p.m.159 views

CVE-2015-7976

The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename.

4.3CVSS5.6AI score0.04193EPSS
CVE
CVE
added 2020/03/23 4:15 p.m.158 views

CVE-2020-6449

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8CVSS8.8AI score0.06387EPSS
CVE
CVE
added 2019/10/07 2:15 p.m.156 views

CVE-2019-3688

The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain pe...

7.1CVSS6.2AI score0.00057EPSS
CVE
CVE
added 2020/02/04 8:15 p.m.154 views

CVE-2019-15624

Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.

4.9CVSS5.7AI score0.00315EPSS
CVE
CVE
added 2014/12/02 4:59 p.m.147 views

CVE-2014-9116

The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, which allows remote attackers to cause a denial of service (crash) via a header with an empty body, which triggers a heap-based buffer overflow in the mutt_substrdup function.

5CVSS9AI score0.02619EPSS
CVE
CVE
added 2016/06/27 10:59 a.m.135 views

CVE-2016-5244

The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message.

7.5CVSS6.9AI score0.01662EPSS
CVE
CVE
added 2014/11/10 11:55 a.m.124 views

CVE-2014-3673

The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.

7.8CVSS7.1AI score0.09797EPSS
CVE
CVE
added 2016/04/19 9:59 p.m.121 views

CVE-2015-8776

The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value.

9.1CVSS8.5AI score0.06886EPSS
CVE
CVE
added 2016/04/19 9:59 p.m.119 views

CVE-2014-9761

Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.

9.8CVSS9AI score0.03538EPSS
CVE
CVE
added 2016/04/19 9:59 p.m.117 views

CVE-2015-8778

Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access.

9.8CVSS9.1AI score0.08413EPSS
CVE
CVE
added 2016/04/19 9:59 p.m.116 views

CVE-2015-8779

Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name.

9.8CVSS9.2AI score0.06371EPSS
CVE
CVE
added 2015/07/06 2:1 a.m.104 views

CVE-2015-2738

The YCbCrImageDataDeserializer::ToDataSourceSurface function in the YCbCr implementation in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 reads data from uninitialized memory locations, which has unspecified impact and attack vectors.

10CVSS4.4AI score0.01514EPSS
CVE
CVE
added 2015/07/06 2:1 a.m.98 views

CVE-2015-2734

The CairoTextureClientD3D9::BorrowDrawTarget function in the Direct3D 9 implementation in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 reads data from uninitialized memory locations, which has unspecified impact and attack vectors.

10CVSS4.4AI score0.01514EPSS
CVE
CVE
added 2015/07/06 2:1 a.m.95 views

CVE-2015-2737

The rx::d3d11::SetBufferData function in the Direct3D 11 implementation in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 reads data from uninitialized memory locations, which has unspecified impact and attack vectors.

10CVSS4.4AI score0.01514EPSS
CVE
CVE
added 2015/08/12 2:59 p.m.93 views

CVE-2015-5154

Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.

7.2CVSS6.9AI score0.00183EPSS
CVE
CVE
added 2016/04/08 2:59 p.m.90 views

CVE-2016-2315

revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.

10CVSS9.6AI score0.2572EPSS
CVE
CVE
added 2016/04/08 2:59 p.m.86 views

CVE-2016-2324

Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.

10CVSS9.7AI score0.35462EPSS
CVE
CVE
added 2015/04/28 2:59 p.m.74 views

CVE-2015-3340

Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.

2.9CVSS6.3AI score0.00634EPSS
CVE
CVE
added 2016/05/24 3:59 p.m.69 views

CVE-2016-0264

Buffer overflow in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) allows remote attackers to execute arbitrary code via unsp...

6.8CVSS7.2AI score0.12648EPSS
CVE
CVE
added 2017/03/17 2:59 p.m.68 views

CVE-2014-9854

coders/tiff.c in ImageMagick allows remote attackers to cause a denial of service (application crash) via vectors related to the "identification of image."

7.5CVSS7AI score0.01717EPSS
CVE
CVE
added 2017/04/12 8:59 p.m.68 views

CVE-2016-9957

Stack-based buffer overflow in game-music-emu before 0.6.1.

7.8CVSS8.7AI score0.00291EPSS
CVE
CVE
added 2016/06/06 5:59 p.m.66 views

CVE-2015-5041

The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows remote attackers to obtain sensitive information or inject data by invoking non-public interface methods.

9.1CVSS8.7AI score0.01297EPSS
CVE
CVE
added 2018/11/29 5:29 a.m.65 views

CVE-2018-19655

A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file.

8.8CVSS8.1AI score0.00824EPSS
CVE
CVE
added 2017/04/12 8:59 p.m.62 views

CVE-2016-9958

game-music-emu before 0.6.1 allows remote attackers to write to arbitrary memory locations.

7.8CVSS8.5AI score0.00313EPSS
CVE
CVE
added 2014/06/11 2:55 p.m.53 views

CVE-2014-2977

Multiple integer signedness errors in the Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB 1.4.13 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers a stack-based buffer overfl...

10CVSS7.8AI score0.10198EPSS
CVE
CVE
added 2017/04/12 8:59 p.m.52 views

CVE-2016-9959

game-music-emu before 0.6.1 allows remote attackers to generate out of bounds 8-bit values.

7.8CVSS8.5AI score0.00313EPSS
CVE
CVE
added 2014/06/11 2:55 p.m.47 views

CVE-2014-2978

The Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB 1.4.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers an out-of-bounds write.

10CVSS7.6AI score0.08617EPSS
CVE
CVE
added 2017/03/23 6:59 a.m.40 views

CVE-2016-1602

A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root).

7.8CVSS7.7AI score0.00113EPSS