Total
8866 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-0728 | 5 Canonical, Debian, Google and 2 more | 5 Ubuntu Linux, Debian Linux, Android and 2 more | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands. | |||||
CVE-2015-1253 | 2 Debian, Google | 2 Debian Linux, Chrome | 2024-02-28 | 7.5 HIGH | N/A |
core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions. | |||||
CVE-2016-5300 | 4 Canonical, Debian, Google and 1 more | 4 Ubuntu Linux, Debian Linux, Android and 1 more | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. | |||||
CVE-2016-4029 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. | |||||
CVE-2016-2335 | 3 7-zip, Debian, Opensuse | 3 7-zip, Debian Linux, Opensuse | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
The CInArchive::ReadFileItem method in Archive/Udf/UdfIn.cpp in 7zip 9.20 and 15.05 beta and p7zip allows remote attackers to cause a denial of service (out-of-bounds read) or execute arbitrary code via the PartitionRef field in the Long Allocation Descriptor in a UDF file. | |||||
CVE-2016-1687 | 5 Debian, Google, Opensuse and 2 more | 8 Debian Linux, Chrome, Leap and 5 more | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
The renderer implementation in Google Chrome before 51.0.2704.63 does not properly restrict public exposure of classes, which allows remote attackers to obtain sensitive information via vectors related to extensions. | |||||
CVE-2016-0706 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. | |||||
CVE-2015-1286 | 4 Debian, Google, Opensuse and 1 more | 7 Debian Linux, Chrome, Opensuse and 4 more | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler::GetModuleSystem function in extensions/renderer/v8_context_native_handler.cc in Google Chrome before 44.0.2403.89 allows remote attackers to inject arbitrary web script or HTML by leveraging the lack of a certain V8 context restriction, aka a Blink "Universal XSS (UXSS)." | |||||
CVE-2015-5523 | 4 Apple, Canonical, Debian and 1 more | 6 Iphone Os, Mac Os X, Watchos and 3 more | 2024-02-28 | 4.3 MEDIUM | N/A |
The ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving multiple whitespace characters before an empty href, which triggers a large memory allocation. | |||||
CVE-2015-1278 | 4 Debian, Google, Opensuse and 1 more | 7 Debian Linux, Chrome, Opensuse and 4 more | 2024-02-28 | 4.3 MEDIUM | N/A |
content/browser/web_contents/web_contents_impl.cc in Google Chrome before 44.0.2403.89 does not ensure that a PDF document's modal dialog is closed upon navigation to an interstitial page, which allows remote attackers to spoof URLs via a crafted document, as demonstrated by the alert_dialog.pdf document. | |||||
CVE-2015-8629 | 5 Debian, Mit, Opensuse and 2 more | 12 Debian Linux, Kerberos 5, Leap and 9 more | 2024-02-28 | 2.1 LOW | 5.3 MEDIUM |
The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string. | |||||
CVE-2016-1240 | 3 Apache, Canonical, Debian | 3 Tomcat, Ubuntu Linux, Debian Linux | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out. | |||||
CVE-2016-3170 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. | |||||
CVE-2015-7695 | 2 Debian, Zend | 2 Debian Linux, Zend Framework | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query. | |||||
CVE-2016-1572 | 5 Canonical, Debian, Ecryptfs and 2 more | 6 Ubuntu Linux, Debian Linux, Ecryptfs-utils and 3 more | 2024-02-28 | 4.6 MEDIUM | 8.4 HIGH |
mount.ecryptfs_private.c in eCryptfs-utils does not validate mount destination filesystem types, which allows local users to gain privileges by mounting over a nonstandard filesystem, as demonstrated by /proc/$pid. | |||||
CVE-2015-7312 | 3 Canonical, Debian, Linux | 3 Ubuntu Linux, Debian Linux, Linux Kernel | 2024-02-28 | 4.4 MEDIUM | N/A |
Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch patches for the Linux kernel 3.x and 4.x allow local users to cause a denial of service (use-after-free and BUG) or possibly gain privileges via a (1) madvise or (2) msync system call, related to mm/madvise.c and mm/msync.c. | |||||
CVE-2016-3069 | 6 Debian, Fedoraproject, Mercurial and 3 more | 14 Debian Linux, Fedora, Mercurial and 11 more | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. | |||||
CVE-2015-7497 | 5 Canonical, Debian, Hp and 2 more | 9 Ubuntu Linux, Debian Linux, Icewall Federation Agent and 6 more | 2024-02-28 | 5.0 MEDIUM | N/A |
Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. | |||||
CVE-2011-5326 | 2 Debian, Enlightenment | 2 Debian Linux, Imlib2 | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
imlib2 before 1.4.9 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) by drawing a 2x1 ellipse. | |||||
CVE-2015-1273 | 4 Debian, Google, Opensuse and 1 more | 7 Debian Linux, Chrome, Opensuse and 4 more | 2024-02-28 | 6.8 MEDIUM | N/A |
Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid JPEG2000 data in a PDF document. |