CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Canonical : Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-0773 119 DoS Overflow 2016-02-17 2016-03-10
5.0
None Remote Low Not required None None Partial
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
2 CVE-2016-0755 287 2016-01-29 2016-02-17
5.0
None Remote Low Not required None Partial None
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
3 CVE-2016-0747 399 DoS 2016-02-15 2016-03-17
5.0
None Remote Low Not required None None Partial
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
4 CVE-2016-0742 DoS 2016-02-15 2016-02-29
5.0
None Remote Low Not required None None Partial
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.
5 CVE-2015-8317 119 Overflow +Info 2015-12-15 2016-05-26
5.0
None Remote Low Not required Partial None None
The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
6 CVE-2015-8242 119 DoS Overflow +Info 2015-12-15 2016-04-01
5.8
None Remote Medium Not required Partial None Partial
The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
7 CVE-2015-8023 20 Bypass 2015-11-18 2015-11-24
5.0
None Remote Low Not required None Partial None
The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.
8 CVE-2015-7981 200 +Info 2015-11-24 2015-11-25
5.0
None Remote Low Not required Partial None None
The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.
9 CVE-2015-7500 119 DoS Overflow 2015-12-15 2016-05-19
5.0
None Remote Low Not required None None Partial
The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.
10 CVE-2015-7499 119 Overflow +Info 2015-12-15 2016-05-19
5.0
None Remote Low Not required Partial None None
Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.
11 CVE-2015-7498 119 DoS Overflow 2015-12-15 2016-05-19
5.0
None Remote Low Not required None None Partial
Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.
12 CVE-2015-7497 119 DoS Overflow 2015-12-15 2016-05-19
5.0
None Remote Low Not required None None Partial
Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.
13 CVE-2015-7236 DoS 2015-10-01 2016-04-25
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
14 CVE-2015-6727 200 +Info 2015-09-01 2015-09-02
5.0
None Remote Low Not required Partial None None
The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.
15 CVE-2015-5964 399 DoS 2015-08-24 2015-08-25
5.0
None Remote Low Not required None None Partial
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.
16 CVE-2015-5963 399 DoS 2015-08-24 2015-08-25
5.0
None Remote Low Not required None None Partial
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.
17 CVE-2015-4484 119 DoS Overflow 2015-08-15 2015-08-26
5.0
None Remote Low Not required None None Partial
The js::jit::AssemblerX86Shared::lock_addl function in the JavaScript implementation in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allows remote attackers to cause a denial of service (application crash) by leveraging the use of shared memory and accessing (1) an Atomics object or (2) a SharedArrayBuffer object.
18 CVE-2015-4478 200 Bypass +Info 2015-08-15 2015-08-26
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method.
19 CVE-2015-3451 2015-05-12 2016-05-27
5.0
None Remote Low Not required Partial None None
The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function.
20 CVE-2015-3407 284 Bypass 2015-05-19 2015-05-20
5.0
None Remote Low Not required None Partial None
Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files.
21 CVE-2015-3153 200 +Info 2015-05-01 2016-01-21
5.0
None Remote Low Not required Partial None None
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
22 CVE-2015-3148 284 2015-04-24 2015-08-17
5.0
None Remote Low Not required None Partial None
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
23 CVE-2015-3146 DoS 2016-04-13 2016-04-20
5.0
None Remote Low Not required None None Partial
The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet.
24 CVE-2015-3143 264 2015-04-24 2016-04-06
5.0
None Remote Low Not required None Partial None
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
25 CVE-2015-2668 399 DoS 2015-05-12 2015-07-02
5.0
None Remote Low Not required None None Partial
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted xz archive file.
26 CVE-2015-2316 399 DoS 2015-03-25 2016-04-01
5.0
None Remote Low Not required None None Partial
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
27 CVE-2015-2222 399 DoS 2015-05-12 2015-05-13
5.0
None Remote Low Not required None None Partial
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted petite packed file.
28 CVE-2015-2221 399 DoS 2015-05-12 2015-05-13
5.0
None Remote Low Not required None None Partial
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted y0da cryptor file.
29 CVE-2015-2170 399 DoS 2015-05-12 2015-05-14
5.0
None Remote Low Not required None None Partial
The upx decoder in ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted file.
30 CVE-2015-1863 119 DoS Exec Code Overflow 2015-04-28 2015-06-17
5.8
None Local Network Low Not required Partial Partial Partial
Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries.
31 CVE-2015-1856 264 2015-04-17 2015-09-01
5.5
None Remote Low Single system None Partial Partial
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
32 CVE-2015-1819 399 DoS 2015-08-14 2016-05-19
5.0
None Remote Low Not required None None Partial
The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack.
33 CVE-2015-0808 17 DoS Mem. Corr. 2015-04-01 2016-04-11
5.0
None Remote Low Not required None None Partial
The webrtc::VPMContentAnalysis::Release function in the WebRTC implementation in Mozilla Firefox before 37.0 uses incompatible approaches to the deallocation of memory for simple-type arrays, which might allow remote attackers to cause a denial of service (memory corruption) via unspecified vectors.
34 CVE-2015-0802 264 Exec Code 2015-04-01 2016-04-11
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.
35 CVE-2015-0222 17 DoS 2015-01-16 2015-04-17
5.0
None Remote Low Not required None None Partial
ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.
36 CVE-2015-0221 399 DoS 2015-01-16 2015-04-17
5.0
None Remote Low Not required None None Partial
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
37 CVE-2014-9745 399 DoS 2015-09-14 2015-09-16
5.0
None Remote Low Not required None None Partial
The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream, as demonstrated by 8#garbage.
38 CVE-2014-9675 264 Bypass 2015-02-08 2015-09-15
5.0
None Remote Low Not required Partial None None
bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.
39 CVE-2014-9636 119 DoS Overflow 2015-02-06 2015-02-09
5.0
None Remote Low Not required None None Partial
unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.
40 CVE-2014-8080 DoS 2014-11-03 2015-10-09
5.0
None Remote Low Not required None None Partial
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.
41 CVE-2014-7815 264 DoS 2014-11-14 2015-03-17
5.0
None Remote Low Not required None None Partial
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.
42 CVE-2014-5031 264 +Info 2014-07-29 2015-09-08
5.0
None Remote Low Not required Partial None None
The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors.
43 CVE-2014-4615 200 +Info 2014-08-19 2014-08-20
5.0
None Remote Low Not required Partial None None
The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).
44 CVE-2014-3925 255 +Info 2014-06-01 2016-04-06
5.0
None Remote Low Not required Partial None None
sosreport in Red Hat sos 1.7 and earlier on Red Hat Enterprise Linux (RHEL) 5 produces an archive with an fstab file potentially containing cleartext passwords, and lacks a warning about reviewing this archive to detect included passwords, which might allow remote attackers to obtain sensitive information by leveraging access to a technical-support data stream.
45 CVE-2014-3660 DoS 2014-11-04 2016-05-05
5.0
None Remote Low Not required None None Partial
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
46 CVE-2014-3633 119 DoS Overflow 2014-10-06 2015-01-02
5.8
None Remote Medium Not required Partial None Partial
The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read.
47 CVE-2014-3583 119 DoS Overflow 2014-12-15 2016-04-01
5.0
None Remote Low Not required None None Partial
The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.
48 CVE-2014-3565 399 DoS 2014-10-07 2015-11-23
5.0
None Remote Low Not required None None Partial
snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is used, allows remote attackers to cause a denial of service (snmptrapd crash) via a crafted SNMP trap message, which triggers a conversion to the variable type designated in the MIB file, as demonstrated by a NULL type in an ifMtu trap message.
49 CVE-2014-0473 264 Bypass CSRF 2014-04-23 2014-11-13
5.0
None Remote Low Not required Partial None None
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
50 CVE-2014-0472 94 2014-04-23 2014-11-13
5.1
None Remote High Not required Partial Partial Partial
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
Total number of vulnerabilities : 78   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.