Total
9187 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22815 | 2 Debian, Python | 2 Debian Linux, Pillow | 2023-01-31 | 6.4 MEDIUM | 6.5 MEDIUM |
| path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | |||||
| CVE-2018-11563 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2023-01-31 | 4.9 MEDIUM | 4.6 MEDIUM |
| An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application. | |||||
| CVE-2019-11730 | 4 Debian, Mozilla, Opensuse and 1 more | 7 Debian Linux, Firefox, Firefox Esr and 4 more | 2023-01-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2021-3805 | 2 Debian, Object-path Project | 2 Debian Linux, Object-path | 2023-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2021-23450 | 3 Debian, Linuxfoundation, Oracle | 5 Debian Linux, Dojo, Communications Policy Management and 2 more | 2023-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. | |||||
| CVE-2021-23434 | 2 Debian, Object-path Project | 2 Debian Linux, Object-path | 2023-01-30 | 7.5 HIGH | 8.6 HIGH |
| This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different. | |||||
| CVE-2017-2816 | 2 Debian, Libofx Project | 2 Debian Linux, Libofx | 2023-01-28 | 6.8 MEDIUM | 8.8 HIGH |
| An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability. | |||||
| CVE-2021-46837 | 3 Asterisk, Debian, Digium | 3 Certified Asterisk, Debian Linux, Asterisk | 2023-01-28 | N/A | 6.5 MEDIUM |
| res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation. | |||||
| CVE-2021-43299 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-28 | 7.5 HIGH | 9.8 CRITICAL |
| Stack overflow in PJSUA API when calling pjsua_player_create. An attacker-controlled 'filename' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. | |||||
| CVE-2021-43301 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-28 | 7.5 HIGH | 9.8 CRITICAL |
| Stack overflow in PJSUA API when calling pjsua_playlist_create. An attacker-controlled 'file_names' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. | |||||
| CVE-2017-14448 | 2 Debian, Libsdl | 2 Debian Linux, Sdl Image | 2023-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. | |||||
| CVE-2020-17446 | 2 Debian, Magic | 2 Debian Linux, Asyncpg | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder. | |||||
| CVE-2019-17637 | 2 Debian, Eclipse | 2 Debian Linux, Web Tools Platform | 2023-01-27 | 5.8 MEDIUM | 7.1 HIGH |
| In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences. | |||||
| CVE-2021-43845 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 6.4 MEDIUM | 9.1 CRITICAL |
| PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP XR message with an invalid packet size. | |||||
| CVE-2021-30130 | 2 Debian, Phpseclib | 2 Debian Linux, Phpseclib | 2023-01-27 | 5.0 MEDIUM | 7.5 HIGH |
| phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification. | |||||
| CVE-2021-43302 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 6.4 MEDIUM | 9.1 CRITICAL |
| Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause an out-of-bounds read when the filename is shorter than 4 characters. | |||||
| CVE-2021-43300 | 2 Debian, Teluu | 2 Debian Linux, Pjsip | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| Stack overflow in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. | |||||
| CVE-2020-24361 | 2 Debian, Snmptt | 2 Debian Linux, Snmptt | 2023-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec. | |||||
| CVE-2020-15569 | 2 Debian, Milkytracker Project | 2 Debian Linux, Milkytracker | 2023-01-27 | 4.3 MEDIUM | 5.5 MEDIUM |
| PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor. | |||||
| CVE-2020-11061 | 2 Bareos, Debian | 2 Bareos, Debian Linux | 2023-01-27 | 6.0 MEDIUM | 7.4 HIGH |
| In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10. | |||||