Filtered by vendor Debian
Subscribe
Total
8236 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-18257 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2018-07-03 | 4.9 MEDIUM | 5.5 MEDIUM |
The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. | |||||
CVE-2018-1064 | 2 Debian, Redhat | 2 Debian Linux, Libvirt | 2018-06-19 | 5.0 MEDIUM | 7.5 HIGH |
libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent. | |||||
CVE-2014-9653 | 3 Debian, File Project, Php | 3 Debian Linux, File, Php | 2018-06-15 | 7.5 HIGH | N/A |
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. | |||||
CVE-2017-18266 | 3 Canonical, Debian, Freedesktop | 3 Ubuntu Linux, Debian Linux, Xdg-utils | 2018-06-14 | 6.8 MEDIUM | 8.8 HIGH |
The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable. | |||||
CVE-2018-10380 | 3 Debian, Kde, Opensuse | 3 Debian Linux, Plasma, Leap | 2018-06-12 | 7.2 HIGH | 7.8 HIGH |
kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack. | |||||
CVE-2018-9846 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2018-05-24 | 6.8 MEDIUM | 8.8 HIGH |
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism. | |||||
CVE-2017-2295 | 2 Debian, Puppet | 2 Debian Linux, Puppet | 2018-05-24 | 6.0 MEDIUM | 8.2 HIGH |
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. | |||||
CVE-2015-6496 | 2 Debian, Netfilter | 2 Debian Linux, Conntrack-tools | 2018-05-22 | 5.0 MEDIUM | N/A |
conntrackd in conntrack-tools 1.4.2 and earlier does not ensure that the optional kernel modules are loaded before using them, which allows remote attackers to cause a denial of service (crash) via a (1) DCCP, (2) SCTP, or (3) ICMPv6 packet. | |||||
CVE-2018-0493 | 2 Debian, Eyrie | 2 Debian Linux, Remctl | 2018-05-21 | 6.5 MEDIUM | 7.2 HIGH |
remctld in remctl before 3.14, when an attacker is authorized to execute a command that uses the sudo option, has a use-after-free that leads to a daemon crash, memory corruption, or arbitrary command execution. | |||||
CVE-2016-9646 | 2 Debian, Ikiwiki | 2 Debian Linux, Ikiwiki | 2018-05-18 | 5.0 MEDIUM | 5.3 MEDIUM |
ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery. | |||||
CVE-2017-0356 | 2 Debian, Ikiwiki | 2 Debian Linux, Ikiwiki | 2018-05-18 | 7.5 HIGH | 9.8 CRITICAL |
A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters. | |||||
CVE-2017-0357 | 2 Debian, Iucode-tool Project | 2 Debian Linux, Iucode-tool | 2018-05-18 | 7.5 HIGH | 9.8 CRITICAL |
A heap-overflow flaw exists in the -tr loader of iucode-tool starting with v1.4 and before v2.1.1, potentially leading to SIGSEGV, or heap corruption. | |||||
CVE-2018-10102 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2018-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | |||||
CVE-2018-10100 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2018-05-18 | 5.8 MEDIUM | 6.1 MEDIUM |
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | |||||
CVE-2015-8312 | 2 Debian, Openafs | 2 Debian Linux, Openafs | 2018-05-17 | 7.2 HIGH | 7.8 HIGH |
Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow local users to cause a denial of service (memory overwrite and system crash) via a pioctl with an input buffer size of 4096 bytes. | |||||
CVE-2017-0372 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-17 | 7.5 HIGH | 9.8 CRITICAL |
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities. | |||||
CVE-2017-0362 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-15 | 6.8 MEDIUM | 8.8 HIGH |
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. | |||||
CVE-2017-0361 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-14 | 2.1 LOW | 7.8 HIGH |
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext. | |||||
CVE-2017-0370 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-14 | 5.0 MEDIUM | 5.3 MEDIUM |
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax's link parameter. | |||||
CVE-2017-0368 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-14 | 5.0 MEDIUM | 5.3 MEDIUM |
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages. |