CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Debian : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-15955 476 2017-10-28 2017-11-16
4.3
None Remote Medium Not required None None Partial
bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to an "Access violation near NULL on destination operand" and crash when processing a malformed CUE (.cue) file.
2 CVE-2017-15954 119 Overflow 2017-10-28 2017-11-16
4.3
None Remote Medium Not required None None Partial
bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer overflow (with a resultant invalid free) and crash when processing a malformed CUE (.cue) file.
3 CVE-2017-15953 119 Overflow 2017-10-28 2017-11-16
4.3
None Remote Medium Not required None None Partial
bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer overflow and crash when processing a malformed CUE (.cue) file.
4 CVE-2017-14494 200 +Info 2017-10-02 2017-10-23
4.3
None Remote Medium Not required Partial None None
dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests.
5 CVE-2017-13723 119 Overflow 2017-10-09 2017-11-05
4.6
None Local Low Not required Partial Partial Partial
In X.Org Server (aka xserver and xorg-server) before 1.19.4, a local attacker authenticated to the X server could overflow a global buffer, causing crashes of the X server or potentially other problems by injecting large or malformed XKB related atoms and accessing them via xkbcomp.
6 CVE-2017-5938 79 XSS 2017-03-15 2017-05-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
7 CVE-2017-5120 254 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Inappropriate use of www mismatch redirects in browser navigation in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to potentially downgrade HTTPS requests to HTTP via a crafted HTML page. In other words, Chrome could transmit cleartext even though the user had entered an https URL, because of a misdesigned workaround for cases where the domain name in a URL almost matches the domain name in an X.509 server certificate (but differs in the initial "www." substring).
8 CVE-2017-5119 119 Overflow +Info 2017-10-27 2017-11-15
4.3
None Remote Medium Not required Partial None None
Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
9 CVE-2017-5118 254 Bypass 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, failed to correctly propagate CSP restrictions to javascript scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page.
10 CVE-2017-5117 200 +Info 2017-10-27 2017-11-15
4.3
None Remote Medium Not required Partial None None
Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3163.79 for Linux and Windows allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
11 CVE-2017-5110 20 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page.
12 CVE-2017-5109 20 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation of unload handler handling in permission prompts in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to display UI on a non attacker controlled tab via a crafted HTML page.
13 CVE-2017-5106 20 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.
14 CVE-2017-5105 20 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.
15 CVE-2017-5104 20 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in interstitials in Google Chrome prior to 60.0.3112.78 for Mac allowed a remote attacker to spoof the contents of the omnibox via a crafted HTML page.
16 CVE-2017-5103 200 +Info 2017-10-27 2017-11-15
4.3
None Remote Medium Not required Partial None None
Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
17 CVE-2017-5102 200 +Info 2017-10-27 2017-11-15
4.3
None Remote Medium Not required Partial None None
Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
18 CVE-2017-5101 20 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in Omnibox in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page.
19 CVE-2017-5094 704 2017-10-27 2017-11-15
4.3
None Remote Medium Not required None Partial None
Type confusion in extensions JavaScript bindings in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to potentially maliciously modify objects via a crafted HTML page.
20 CVE-2017-5093 20 2017-10-27 2017-11-16
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in modal dialog handling in Blink in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to prevent a full screen warning from being displayed via a crafted HTML page.
21 CVE-2016-9964 93 2016-12-16 2017-01-10
4.3
None Remote Medium Not required None Partial None
redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
22 CVE-2016-9830 20 DoS 2017-03-01 2017-03-02
4.3
None Remote Medium Not required None None Partial
The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows remote attackers to cause a denial of service (crash) via large dimensions in a jpeg image.
23 CVE-2016-9556 119 DoS Overflow 2017-03-23 2017-03-24
4.3
None Remote Medium Not required None None Partial
The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3-8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file.
24 CVE-2016-9532 125 DoS Overflow 2017-02-06 2017-02-08
4.3
None Remote Medium Not required None None Partial
Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.
25 CVE-2016-9376 399 2016-11-17 2017-07-27
4.3
None Remote Medium Not required None None Partial
In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the OpenFlow dissector could crash with memory exhaustion, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-openflow_v5.c by ensuring that certain length values were sufficiently large.
26 CVE-2016-9375 20 2016-11-17 2017-07-27
4.3
None Remote Medium Not required None None Partial
In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DTN dissector could go into an infinite loop, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dtn.c by checking whether SDNV evaluation was successful.
27 CVE-2016-9374 119 Overflow 2016-11-17 2017-07-27
4.3
None Remote Medium Not required None None Partial
In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector could crash with a buffer over-read, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-alljoyn.c by ensuring that a length variable properly tracked the state of a signature variable.
28 CVE-2016-9373 416 2016-11-17 2017-07-27
4.3
None Remote Medium Not required None None Partial
In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DCERPC dissector could crash with a use-after-free, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dcerpc-nt.c and epan/dissectors/packet-dcerpc-spoolss.c by using the wmem file scope for private strings.
29 CVE-2016-9189 190 Overflow +Info 2016-11-04 2017-06-30
4.3
None Remote Medium Not required Partial None None
Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.
30 CVE-2016-9119 79 XSS 2017-01-30 2017-02-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
31 CVE-2016-8692 369 DoS 2017-02-15 2017-02-22
4.3
None Remote Medium Not required None None Partial
The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command.
32 CVE-2016-8691 369 DoS 2017-02-15 2017-02-22
4.3
None Remote Medium Not required None None Partial
The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command.
33 CVE-2016-7424 476 DoS 2016-10-07 2016-10-11
4.3
None Remote Medium Not required None None Partial
The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in libav 11.7 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted MP3 file.
34 CVE-2016-7180 416 DoS 2016-09-09 2016-09-29
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-ipmi-trace.c in the IPMI trace dissector in Wireshark 2.x before 2.0.6 does not properly consider whether a string is constant, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet.
35 CVE-2016-7179 119 DoS Overflow 2016-09-09 2016-09-29
4.3
None Remote Medium Not required None None Partial
Stack-based buffer overflow in epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector in Wireshark 2.x before 2.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted packet.
36 CVE-2016-7178 787 DoS 2016-09-09 2016-09-29
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 2.x before 2.0.6 does not ensure that memory is allocated for certain data structures, which allows remote attackers to cause a denial of service (invalid write access and application crash) via a crafted packet.
37 CVE-2016-7177 119 DoS Overflow 2016-09-09 2016-09-29
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector in Wireshark 2.x before 2.0.6 does not restrict the number of channels, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.
38 CVE-2016-7176 119 DoS Overflow 2016-09-09 2016-09-30
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-h225.c in the H.225 dissector in Wireshark 2.x before 2.0.6 calls snprintf with one of its input buffers as the output buffer, which allows remote attackers to cause a denial of service (copy overlap and application crash) via a crafted packet.
39 CVE-2016-7142 264 2016-09-26 2016-09-28
4.3
None Remote Medium Not required Partial None None
The m_sasl module in InspIRCd before 2.0.23, when used with a service that supports SASL_EXTERNAL authentication, allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted SASL message.
40 CVE-2016-7118 476 DoS 2016-08-31 2016-11-28
4.9
None Local Low Not required None None Complete
fs/fcntl.c in the "aufs 3.2.x+setfl-debian" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via standard filesystem operations, as demonstrated by scp from an AUFS filesystem.
41 CVE-2016-6316 79 XSS 2016-09-07 2016-11-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
42 CVE-2016-6214 125 DoS 2016-08-12 2016-11-28
4.3
None Remote Medium Not required None None Partial
gd_tga.c in the GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
43 CVE-2016-6207 787 DoS Overflow 2016-08-12 2017-06-30
4.3
None Remote Medium Not required None None Partial
Integer overflow in the _gdContributionsAlloc function in gd_interpolation.c in GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds memory write or memory consumption) via unspecified vectors.
44 CVE-2016-6186 79 XSS 2016-08-05 2016-11-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
45 CVE-2016-6185 284 Exec Code 2016-08-02 2017-06-30
4.6
None Local Low Not required Partial Partial Partial
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
46 CVE-2016-6161 125 DoS 2016-08-12 2016-11-28
4.3
None Remote Medium Not required None None Partial
The output function in gd_gif_out.c in the GD Graphics Library (aka libgd) allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image.
47 CVE-2016-6132 125 DoS 2016-08-12 2017-06-30
4.3
None Remote Medium Not required None None Partial
The gdImageCreateFromTgaCtx function in the GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.
48 CVE-2016-5424 94 +Priv 2016-12-09 2017-06-30
4.6
None Remote High Single system Partial Partial Partial
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
49 CVE-2016-5384 415 Exec Code 2016-08-12 2017-01-17
4.6
None Local Low Not required Partial Partial Partial
fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.
50 CVE-2016-5322 125 DoS 2017-04-11 2017-04-17
4.3
None Remote Medium Not required None None Partial
The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.
Total number of vulnerabilities : 268   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.