Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2016-09-21 CVE-2016-7163 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the opj_pi_create_decode function in pi.c in OpenJPEG allows remote attackers to execute arbitrary code via a crafted JP2 file, which triggers an out-of-bounds read or write.
7.8
2016-09-21 CVE-2015-8871 Use After Free vulnerability in multiple products
Use-after-free vulnerability in the opj_j2k_write_mco function in j2k.c in OpenJPEG before 2.1.1 allows remote attackers to have unspecified impact via unknown vectors.
network
low complexity
debian uclouvain CWE-416
7.5
2016-09-07 CVE-2016-6318 Out-of-bounds Write vulnerability in multiple products
Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.
local
low complexity
cracklib-project opensuse debian CWE-787
7.8
2016-08-13 CVE-2016-5384 Double Free vulnerability in multiple products
fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.
7.8
2016-08-10 CVE-2016-5421 Use After Free vulnerability in multiple products
Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
8.1
2016-08-10 CVE-2016-5420 Improper Authorization vulnerability in multiple products
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
network
low complexity
debian haxx opensuse CWE-285
7.5
2016-08-10 CVE-2016-5419 Cryptographic Issues vulnerability in multiple products
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
network
low complexity
haxx debian opensuse CWE-310
7.5
2016-08-07 CVE-2016-4029 Server-Side Request Forgery (SSRF) vulnerability in multiple products
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.
network
low complexity
wordpress debian CWE-918
8.6
2016-08-07 CVE-2016-5772 Double Free vulnerability in multiple products
Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call.
network
low complexity
php suse opensuse debian CWE-415
7.5
2016-08-07 CVE-2016-5771 Use After Free vulnerability in multiple products
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
network
low complexity
php opensuse debian CWE-416
7.5