Vulnerabilities > Debian > Debian Linux > High

DATE CVE VULNERABILITY TITLE RISK
2016-04-12 CVE-2016-3167 Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
network
low complexity
drupal debian
7.4
2016-04-12 CVE-2016-3164 Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
network
low complexity
drupal debian
7.4
2016-04-12 CVE-2016-3163 7PK - Security Features vulnerability in multiple products
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
network
low complexity
debian drupal CWE-254
7.5
2016-04-12 CVE-2016-3162 Improper Access Control vulnerability in multiple products
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
network
low complexity
drupal debian CWE-284
8.1
2016-04-12 CVE-2015-8702 Improper Input Validation vulnerability in multiple products
The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 allows remote DNS servers to cause a denial of service (netsplit) via an invalid character in a PTR response, as demonstrated by a "\032" (whitespace) character in a hostname.
network
low complexity
debian inspircd CWE-20
8.6
2016-04-12 CVE-2015-8474 Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.
network
low complexity
debian redmine
7.4
2016-04-12 CVE-2016-2857 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
local
low complexity
qemu canonical debian redhat CWE-119
8.4
2016-04-12 CVE-2016-1568 Use After Free vulnerability in multiple products
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
local
low complexity
qemu redhat debian CWE-416
8.8
2016-04-11 CVE-2016-1235 Permissions, Privileges, and Access Controls vulnerability in multiple products
The oarsh script in OAR before 2.5.7 allows remote authenticated users of a cluster to obtain sensitive information and possibly gain privileges via vectors related to OpenSSH options.
network
low complexity
oar-project debian CWE-264
8.8
2016-04-11 CVE-2012-6700 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP servers to cause a denial of service via a crafted response.
network
low complexity
debian dhcpcd-project CWE-119
7.5