Filtered by vendor Debian
Subscribe
Search
Total
6968 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-8849 | 2 Debian, Smb4k Project | 2 Debian Linux, Smb4k | 2019-03-18 | 7.2 HIGH | 7.8 HIGH |
| smb4k before 2.0.1 allows local users to gain root privileges by leveraging failure to verify arguments to the mount helper DBUS service. | |||||
| CVE-2017-18241 | 3 Canonical, Debian, Linux | 3 Ubuntu Linux, Debian Linux, Linux Kernel | 2019-03-18 | 4.9 MEDIUM | 5.5 MEDIUM |
| fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure. | |||||
| CVE-2017-5356 | 2 Debian, Irssi | 2 Debian Linux, Irssi | 2019-03-15 | 5.0 MEDIUM | 7.5 HIGH |
| Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]). | |||||
| CVE-2017-9061 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. | |||||
| CVE-2017-9063 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. | |||||
| CVE-2017-9064 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 6.8 MEDIUM | 8.8 HIGH |
| In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | |||||
| CVE-2017-9065 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 5.0 MEDIUM | 7.5 HIGH |
| In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. | |||||
| CVE-2017-9066 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 5.0 MEDIUM | 8.6 HIGH |
| In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. | |||||
| CVE-2018-0494 | 4 Canonical, Debian, Gnu and 1 more | 6 Ubuntu Linux, Debian Linux, Wget and 3 more | 2019-03-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line. | |||||
| CVE-2017-9469 | 2 Debian, Irssi | 2 Debian Linux, Irssi | 2019-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash. | |||||
| CVE-2017-9468 | 2 Debian, Irssi | 2 Debian Linux, Irssi | 2019-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash. | |||||
| CVE-2018-0492 | 2 Beep Project, Debian | 2 Beep, Debian Linux | 2019-03-14 | 4.4 MEDIUM | 7.0 HIGH |
| Johnathan Nightingale beep through 1.3.4, if setuid, has a race condition that allows local privilege escalation. | |||||
| CVE-2017-15565 | 2 Debian, Freedesktop | 2 Debian Linux, Poppler | 2019-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document. | |||||
| CVE-2018-1000037 | 2 Artifex, Debian | 2 Mupdf, Debian Linux | 2019-03-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| In MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file. | |||||
| CVE-2018-1000069 | 2 Debian, Freeplane | 2 Debian Linux, Freeplane | 2019-03-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+. | |||||
| CVE-2018-1000051 | 2 Artifex, Debian | 2 Mupdf, Debian Linux | 2019-03-14 | 6.8 MEDIUM | 7.8 HIGH |
| Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF. | |||||
| CVE-2018-1000040 | 2 Artifex, Debian | 2 Mupdf, Debian Linux | 2019-03-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| In MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file. | |||||
| CVE-2017-15577 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information. | |||||
| CVE-2017-15722 | 2 Debian, Irssi | 2 Debian Linux, Irssi | 2019-03-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string. | |||||
| CVE-2017-15723 | 2 Debian, Irssi | 2 Debian Linux, Irssi | 2019-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Irssi before 1.0.5, overlong nicks or targets may result in a NULL pointer dereference while splitting the message. | |||||
| CVE-2017-15721 | 2 Debian, Irssi | 2 Debian Linux, Irssi | 2019-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468. | |||||
| CVE-2017-15576 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information. | |||||
| CVE-2017-15572 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect. | |||||
| CVE-2017-15568 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history. | |||||
| CVE-2017-15569 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list. | |||||
| CVE-2017-15570 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data. | |||||
| CVE-2017-15571 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data. | |||||
| CVE-2017-15573 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because markup is mishandled in wiki content. | |||||
| CVE-2017-15574 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2019-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment. | |||||
| CVE-2017-6307 | 2 Debian, Tnef Project | 2 Debian Linux, Tnef | 2019-03-13 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. | |||||
| CVE-2017-6468 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2019-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler file parser crash, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by validating the relationship between pages and records. | |||||
| CVE-2017-6473 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2019-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a K12 file parser crash, triggered by a malformed capture file. This was addressed in wiretap/k12.c by validating the relationships between lengths and offsets. | |||||
| CVE-2017-6308 | 2 Debian, Tnef Project | 2 Debian Linux, Tnef | 2019-03-13 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. | |||||
| CVE-2017-6309 | 2 Debian, Tnef Project | 2 Debian Linux, Tnef | 2019-03-13 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. | |||||
| CVE-2017-6310 | 2 Debian, Tnef Project | 2 Debian Linux, Tnef | 2019-03-13 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. | |||||
| CVE-2017-16654 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2019-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal. | |||||
| CVE-2018-11408 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2019-03-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. | |||||
| CVE-2017-2826 | 2 Debian, Zabbix | 2 Debian Linux, Zabbix | 2019-03-13 | 4.3 MEDIUM | 3.7 LOW |
| An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability. | |||||
| CVE-2017-6471 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2019-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a WSP infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wsp.c by validating the capability length. | |||||
| CVE-2017-6469 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2019-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an LDSS dissector crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-ldss.c by ensuring that memory is allocated for a certain data structure. | |||||
| CVE-2017-16652 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2019-03-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. | |||||
| CVE-2018-5184 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Thunderbird and 8 more | 2019-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. | |||||
| CVE-2017-6500 | 2 Debian, Imagemagick | 2 Debian Linux, Imagemagick | 2019-03-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file triggers a heap-based buffer over-read. | |||||
| CVE-2017-6498 | 2 Debian, Imagemagick | 2 Debian Linux, Imagemagick | 2019-03-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS. | |||||
| CVE-2018-5145 | 4 Canonical, Debian, Mozilla and 1 more | 10 Ubuntu Linux, Debian Linux, Firefox Esr and 7 more | 2019-03-13 | 7.5 HIGH | 9.8 CRITICAL |
| Memory safety bugs were reported in Firefox ESR 52.6. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7. | |||||
| CVE-2018-5150 | 4 Canonical, Debian, Mozilla and 1 more | 12 Ubuntu Linux, Debian Linux, Firefox and 9 more | 2019-03-13 | 7.5 HIGH | 9.8 CRITICAL |
| Memory safety bugs were reported in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. | |||||
| CVE-2018-5158 | 4 Canonical, Debian, Mozilla and 1 more | 10 Ubuntu Linux, Debian Linux, Firefox and 7 more | 2019-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. | |||||
| CVE-2018-5157 | 4 Canonical, Debian, Mozilla and 1 more | 10 Ubuntu Linux, Debian Linux, Firefox and 7 more | 2019-03-13 | 5.0 MEDIUM | 7.5 HIGH |
| Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. | |||||
| CVE-2018-5161 | 4 Canonical, Debian, Mozilla and 1 more | 10 Ubuntu Linux, Debian Linux, Thunderbird and 7 more | 2019-03-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Crafted message headers can cause a Thunderbird process to hang on receiving the message. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. | |||||
| CVE-2018-5170 | 4 Canonical, Debian, Mozilla and 1 more | 10 Ubuntu Linux, Debian Linux, Thunderbird and 7 more | 2019-03-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. | |||||