Total
8852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7490 | 2 Debian, Unbit | 2 Debian Linux, Uwsgi | 2018-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal. | |||||
| CVE-2018-0489 | 3 Arubanetworks, Debian, Shibboleth | 3 Clearpass, Debian Linux, Xmltooling-c | 2018-03-23 | 6.4 MEDIUM | 6.5 MEDIUM |
| Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486. | |||||
| CVE-2017-6927 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2018-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. | |||||
| CVE-2017-6932 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2018-03-22 | 5.8 MEDIUM | 4.7 MEDIUM |
| Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. | |||||
| CVE-2017-6929 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2018-03-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module. | |||||
| CVE-2015-5314 | 2 Debian, W1.fi | 2 Debian Linux, Wpa Supplicant | 2018-03-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message. | |||||
| CVE-2015-5315 | 2 Debian, W1.fi | 2 Debian Linux, Wpa Supplicant | 2018-03-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message. | |||||
| CVE-2015-5316 | 2 Debian, W1.fi | 2 Debian Linux, Wpa Supplicant | 2018-03-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6, when EAP-pwd is enabled in a network configuration profile, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an EAP-pwd Confirm message followed by the Identity exchange. | |||||
| CVE-2017-7375 | 3 Debian, Google, Xmlsoft | 3 Debian Linux, Android, Libxml2 | 2018-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). | |||||
| CVE-2017-17863 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2018-03-16 | 7.2 HIGH | 7.8 HIGH |
| kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact. | |||||
| CVE-2017-12380 | 2 Clamav, Debian | 2 Clamav, Debian Linux | 2018-03-16 | 7.8 HIGH | 7.5 HIGH |
| ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms in mbox.c during certain mail parsing functions of the ClamAV software. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. An exploit could trigger a NULL pointer dereference condition when ClamAV scans the malicious email, which may result in a DoS condition. | |||||
| CVE-2017-12379 | 2 Clamav, Debian | 2 Clamav, Debian Linux | 2018-03-16 | 10.0 HIGH | 9.8 CRITICAL |
| ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in the message parsing function on an affected system. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a messageAddArgument (in message.c) buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition or execute arbitrary code on an affected device. | |||||
| CVE-2017-12376 | 2 Clamav, Debian | 2 Clamav, Debian Linux | 2018-03-16 | 9.3 HIGH | 7.8 HIGH |
| ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause a handle_pdfname (in pdf.c) buffer overflow when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code. | |||||
| CVE-2017-12375 | 2 Clamav, Debian | 2 Clamav, Debian Linux | 2018-03-16 | 7.8 HIGH | 7.5 HIGH |
| The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing functions (the rfc2047 function in mbox.c). An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition on an affected device. | |||||
| CVE-2017-12374 | 2 Clamav, Debian | 2 Clamav, Debian Linux | 2018-03-16 | 7.8 HIGH | 7.5 HIGH |
| The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations (mbox.c operations on bounce messages). If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition. | |||||
| CVE-2018-6596 | 2 Debian, Django-anymail Project | 2 Debian Linux, Django-anymail | 2018-03-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events. | |||||
| CVE-2011-2902 | 2 Debian, Glyphandcog | 2 Debian Linux, Xpdf | 2018-02-23 | 6.4 MEDIUM | 5.3 MEDIUM |
| zxpdf in xpdf before 3.02-19 as packaged in Debian unstable and 3.02-12+squeeze1 as packaged in Debian squeeze deletes temporary files insecurely, which allows remote attackers to delete arbitrary files via a crafted .pdf.gz file name. | |||||
| CVE-2018-0486 | 2 Debian, Shibboleth | 2 Debian Linux, Xmltooling-c | 2018-02-15 | 6.4 MEDIUM | 6.5 MEDIUM |
| Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD. | |||||
| CVE-2018-5704 | 2 Debian, Openocd | 2 Debian Linux, Open On-chip Debugger | 2018-02-09 | 9.3 HIGH | 9.6 CRITICAL |
| Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site. | |||||
| CVE-2017-15955 | 2 Bchunk Project, Debian | 2 Bchunk, Debian Linux | 2018-02-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to an "Access violation near NULL on destination operand" and crash when processing a malformed CUE (.cue) file. | |||||