Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Debian Subscribe
Total 8236 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-9811 4 Debian, Mozilla, Novell and 1 more 6 Debian Linux, Firefox, Firefox Esr and 3 more 2023-02-28 5.1 MEDIUM 8.3 HIGH
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
CVE-2019-11717 4 Debian, Mozilla, Novell and 1 more 6 Debian Linux, Firefox, Firefox Esr and 3 more 2023-02-28 5.0 MEDIUM 5.3 MEDIUM
A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
CVE-2019-16163 4 Canonical, Debian, Fedoraproject and 1 more 4 Ubuntu Linux, Debian Linux, Fedora and 1 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
CVE-2019-16056 7 Canonical, Debian, Fedoraproject and 4 more 10 Ubuntu Linux, Debian Linux, Fedora and 7 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
CVE-2020-4047 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2023-02-27 3.5 LOW 6.8 MEDIUM
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
CVE-2020-4048 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2023-02-27 4.9 MEDIUM 5.7 MEDIUM
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
CVE-2020-4050 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2023-02-27 6.0 MEDIUM 3.1 LOW
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
CVE-2020-14152 2 Debian, Ijg 2 Debian Linux, Libjpeg 2023-02-27 5.8 MEDIUM 7.1 HIGH
In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.
CVE-2020-14399 4 Canonical, Debian, Libvncserver Project and 1 more 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more 2023-02-27 5.0 MEDIUM 7.5 HIGH
** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed."
CVE-2020-14400 4 Canonical, Debian, Libvncserver Project and 1 more 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more 2023-02-27 5.0 MEDIUM 7.5 HIGH
** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary.
CVE-2020-14954 6 Canonical, Debian, Fedoraproject and 3 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2023-02-27 4.3 MEDIUM 5.9 MEDIUM
Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
CVE-2020-10177 4 Canonical, Debian, Fedoraproject and 1 more 4 Ubuntu Linux, Debian Linux, Fedora and 1 more 2023-02-27 4.3 MEDIUM 5.5 MEDIUM
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
CVE-2020-16150 3 Arm, Debian, Fedoraproject 3 Mbed Tls, Debian Linux, Fedora 2023-02-27 2.1 LOW 5.5 MEDIUM
A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.
CVE-2020-4067 5 Canonical, Coturn Project, Debian and 2 more 5 Ubuntu Linux, Coturn, Debian Linux and 2 more 2023-02-27 5.0 MEDIUM 7.5 HIGH
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.
CVE-2021-29458 3 Debian, Exiv2, Fedoraproject 3 Debian Linux, Exiv2, Fedora 2023-02-27 4.3 MEDIUM 5.5 MEDIUM
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4.
CVE-2018-20847 2 Debian, Uclouvain 2 Debian Linux, Openjpeg 2023-02-27 6.8 MEDIUM 8.8 HIGH
An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the function opj_get_encoding_parameters in openjp2/pi.c in OpenJPEG through 2.3.0 can lead to an integer overflow.
CVE-2019-11766 2 Debian, Dhcpcd Project 2 Debian Linux, Dhcpcd 2023-02-27 7.5 HIGH 9.8 CRITICAL
dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature.
CVE-2019-16729 3 Canonical, Debian, Pam-python Project 3 Ubuntu Linux, Debian Linux, Pam-python 2023-02-27 7.2 HIGH 7.8 HIGH
pam-python before 1.0.7-1 has an issue in regard to the default environment variable handling of Python, which could allow for local root escalation in certain PAM setups.
CVE-2019-19448 4 Canonical, Debian, Linux and 1 more 27 Ubuntu Linux, Debian Linux, Linux Kernel and 24 more 2023-02-27 6.8 MEDIUM 7.8 HIGH
In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.
CVE-2019-10901 5 Canonical, Debian, Fedoraproject and 2 more 5 Ubuntu Linux, Debian Linux, Fedora and 2 more 2023-02-27 5.0 MEDIUM 7.5 HIGH
In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the LDSS dissector could crash. This was addressed in epan/dissectors/packet-ldss.c by handling file digests properly.