CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Debian » Debian Linux » 7.0 : Security Vulnerabilities

Cpe Name:cpe:/o:debian:debian_linux:7.0
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4024 119 Exec Code Overflow 2016-05-13 2016-05-16
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in imlib2 before 1.4.9 on 32-bit platforms allows remote attackers to execute arbitrary code via large dimensions in an image, which triggers an out-of-bounds heap memory write operation.
2 CVE-2016-3994 119 DoS Overflow +Info 2016-05-13 2016-05-16
6.4
None Remote Low Not required Partial None Partial
The GIF loader in imlib2 before 1.4.9 allows remote attackers to cause a denial of service (application crash) or obtain sensitive information via a crafted image, which triggers an out-of-bounds read.
3 CVE-2016-3993 119 DoS Overflow 2016-05-13 2016-05-16
5.0
None Remote Low Not required None None Partial
Off-by-one error in the __imlib_MergeUpdate function in lib/updates.c in imlib2 before 1.4.9 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted coordinates.
4 CVE-2016-3982 119 DoS Exec Code Overflow 2016-04-13 2016-05-18
6.8
None Remote Medium Not required Partial Partial Partial
Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.
5 CVE-2016-3981 119 DoS Exec Code Overflow 2016-04-13 2016-05-18
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file.
6 CVE-2016-3630 19 Exec Code 2016-04-13 2016-04-18
6.8
None Remote Medium Not required Partial Partial Partial
The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
7 CVE-2016-3171 19 Exec Code 2016-04-12 2016-05-09
6.8
None Remote Medium Not required Partial Partial Partial
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
8 CVE-2016-3170 200 +Info 2016-04-12 2016-04-14
5.0
None Remote Low Not required Partial None None
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
9 CVE-2016-3169 264 +Priv 2016-04-12 2016-04-12
6.8
User Remote Medium Not required Partial Partial Partial
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
10 CVE-2016-3168 254 2016-04-12 2016-04-14
8.5
None Remote Medium Single system Complete Complete Complete
The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."
11 CVE-2016-3167 2016-04-12 2016-04-18
6.4
None Remote Low Not required Partial Partial None
Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
12 CVE-2016-3166 Http R.Spl. 2016-04-12 2016-04-12
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.
13 CVE-2016-3164 2016-04-12 2016-04-12
5.8
None Remote Medium Not required Partial Partial None
Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
14 CVE-2016-3163 254 2016-04-12 2016-04-18
5.0
None Remote Low Not required None Partial None
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
15 CVE-2016-3162 284 Bypass 2016-04-12 2016-04-22
6.5
None Remote Low Single system Partial Partial Partial
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
16 CVE-2016-3153 94 Exec Code 2016-04-08 2016-04-14
7.5
None Remote Low Not required Partial Partial Partial
SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.
17 CVE-2016-3074 189 DoS Exec Code Overflow 2016-04-26 2016-05-06
7.5
None Remote Low Not required Partial Partial Partial
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
18 CVE-2016-3069 20 Exec Code 2016-04-13 2016-04-18
6.8
None Remote Medium Not required Partial Partial Partial
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.
19 CVE-2016-3068 20 Exec Code 2016-04-13 2016-04-18
6.8
None Remote Medium Not required Partial Partial Partial
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.
20 CVE-2016-2851 119 DoS Exec Code Overflow Mem. Corr. 2016-04-07 2016-04-11
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.
21 CVE-2016-2533 119 DoS Overflow 2016-04-13 2016-05-04
4.3
None Remote Medium Not required None None Partial
Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.
22 CVE-2016-2511 79 XSS 2016-04-07 2016-04-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in WebSVN 2.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the path parameter to log.php.
23 CVE-2016-2510 19 Exec Code 2016-04-07 2016-04-18
6.8
None Remote Medium Not required Partial Partial Partial
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
24 CVE-2016-2381 20 Bypass 2016-04-08 2016-04-25
5.0
None Remote Low Not required None Partial None
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
25 CVE-2016-2342 119 DoS Exec Code Overflow 2016-03-17 2016-05-19
7.6
None Remote High Not required Complete Complete Complete
The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.
26 CVE-2016-2191 119 DoS Overflow 2016-04-13 2016-05-25
4.3
None Remote Medium Not required None None Partial
The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (invalid memory write and crash) via a series of delta escapes in a crafted BMP image.
27 CVE-2016-2143 20 DoS 2016-04-27 2016-05-10
6.9
None Local Medium Not required Complete Complete Complete
The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.
28 CVE-2016-2037 119 DoS Overflow 2016-02-22 2016-03-07
4.3
None Remote Medium Not required None None Partial
The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.
29 CVE-2016-1232 2016-01-12 2016-01-21
5.0
None Remote Low Not required Partial None None
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
30 CVE-2016-1231 22 Dir. Trav. 2016-01-12 2016-01-21
4.3
None Remote Medium Not required Partial None None
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.
31 CVE-2016-0787 200 +Info 2016-04-13 2016-04-18
4.3
None Remote Medium Not required Partial None None
The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."
32 CVE-2016-0775 119 DoS Overflow 2016-04-13 2016-04-18
4.3
None Remote Medium Not required None None Partial
Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.
33 CVE-2016-0773 119 DoS Overflow 2016-02-17 2016-03-10
5.0
None Remote Low Not required None None Partial
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
34 CVE-2016-0766 264 +Priv 2016-02-17 2016-03-09
9.0
None Remote Low Single system Complete Complete Complete
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
35 CVE-2016-0763 264 DoS Bypass 2016-02-24 2016-05-19
6.5
None Remote Low Single system Partial Partial Partial
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
36 CVE-2016-0755 287 2016-01-29 2016-02-17
5.0
None Remote Low Not required None Partial None
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
37 CVE-2016-0740 119 Overflow 2016-04-13 2016-04-18
4.3
None Remote Medium Not required None Partial None
Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.
38 CVE-2016-0739 200 +Info 2016-04-13 2016-04-18
4.3
None Remote Medium Not required Partial None None
libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."
39 CVE-2016-0714 264 Exec Code Bypass 2016-02-24 2016-05-19
6.5
None Remote Low Single system Partial Partial Partial
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
40 CVE-2016-0706 200 Bypass +Info 2016-02-24 2016-05-19
4.0
None Remote Low Single system Partial None None
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
41 CVE-2015-8852 Http R.Spl. 2016-04-25 2016-05-06
5.0
None Remote Low Not required None Partial None
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
42 CVE-2015-8784 119 DoS Overflow 2016-04-13 2016-04-18
4.3
None Remote Medium Not required None None Partial
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.
43 CVE-2015-8783 119 DoS Overflow 2016-02-01 2016-05-27
4.3
None Remote Medium Not required None None Partial
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.
44 CVE-2015-8782 119 DoS Overflow 2016-02-01 2016-05-27
4.3
None Remote Medium Not required None None Partial
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.
45 CVE-2015-8781 119 DoS Overflow 2016-02-01 2016-05-19
4.3
None Remote Medium Not required None None Partial
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.
46 CVE-2015-8710 119 DoS Overflow +Info 2016-04-11 2016-04-19
7.5
None Remote Low Not required Partial Partial Partial
The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.
47 CVE-2015-8702 20 DoS 2016-04-12 2016-04-20
7.8
None Remote Low Not required None None Complete
The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 allows remote DNS servers to cause a denial of service (netsplit) via an invalid character in a PTR response, as demonstrated by a "\032" (whitespace) character in a hostname.
48 CVE-2015-8683 119 DoS Overflow 2016-04-13 2016-04-20
4.3
None Remote Medium Not required None None Partial
The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.
49 CVE-2015-8476 20 2015-12-16 2015-12-17
5.0
None Remote Low Not required None Partial None
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
50 CVE-2015-8474 2016-04-12 2016-04-20
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.
Total number of vulnerabilities : 232   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.