Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2017-11-15 CVE-2017-8814 Improper Input Validation vulnerability in multiple products
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk."
network
low complexity
mediawiki debian CWE-20
7.5
2017-11-15 CVE-2017-8810 Information Exposure vulnerability in multiple products
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.
network
low complexity
mediawiki debian CWE-200
7.5
2017-11-13 CVE-2016-8610 Resource Exhaustion vulnerability in multiple products
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake.
7.5
2017-11-09 CVE-2017-16651 Files or Directories Accessible to External Parties vulnerability in multiple products
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017.
local
low complexity
roundcube debian CWE-552
7.8
2017-11-09 CVE-2017-16669 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the AcquireCacheNexus function in magick/pixel_cache.c.
network
low complexity
graphicsmagick debian CWE-119
8.8
2017-11-07 CVE-2017-16642 Out-of-bounds Read vulnerability in multiple products
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function.
network
low complexity
php debian canonical netapp CWE-125
7.5
2017-11-06 CVE-2017-15672 Out-of-bounds Read vulnerability in multiple products
The read_header function in libavcodec/ffv1dec.c in FFmpeg 2.4 and 3.3.4 and possibly earlier allows remote attackers to have unspecified impact via a crafted MP4 file, which triggers an out-of-bounds read.
network
low complexity
ffmpeg debian CWE-125
8.8
2017-11-05 CVE-2017-16546 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does not properly validate the colormap index in a WPG palette, which allows remote attackers to cause a denial of service (use of uninitialized data or invalid memory allocation) or possibly have unspecified other impact via a malformed WPG file.
network
low complexity
imagemagick debian canonical CWE-119
8.8
2017-11-04 CVE-2017-16526 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.
local
low complexity
linux canonical debian CWE-119
7.8
2017-11-03 CVE-2017-16516 Use of Externally-Controlled Format String vulnerability in multiple products
In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c.
network
low complexity
yajl-ruby-project debian CWE-134
7.5