Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2013-12-07 CVE-2013-6410 Permissions, Privileges, and Access Controls vulnerability in multiple products
nbd-server in Network Block Device (nbd) before 3.5 does not properly check IP addresses, which might allow remote attackers to bypass intended access restrictions via an IP address that has a partial match in the authfile configuration file.
network
low complexity
wouter-verhelst debian canonical CWE-264
7.5
2013-11-20 CVE-2013-4559 Permissions, Privileges, and Access Controls vulnerability in multiple products
lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.
network
high complexity
lighttpd debian opensuse CWE-264
7.6
2013-11-13 CVE-2013-6621 Resource Management Errors vulnerability in multiple products
Use-after-free vulnerability in Google Chrome before 31.0.1650.48 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the x-webkit-speech attribute in a text INPUT element.
network
low complexity
opensuse google debian CWE-399
7.5
2013-10-28 CVE-2013-4391 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large journal data field, which triggers a heap-based buffer overflow.
network
low complexity
systemd-project debian CWE-190
7.5
2013-08-29 CVE-2013-5589 SQL Injection vulnerability in multiple products
SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
network
low complexity
debian cacti opensuse CWE-89
7.5
2013-08-28 CVE-2013-2072 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap.
7.4
2013-06-26 CVE-2013-1690 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
8.8
2013-05-25 CVE-2013-3561 Numeric Errors vulnerability in multiple products
Multiple integer overflows in Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial of service (loop or application crash) via a malformed packet, related to a crash of the Websocket dissector, an infinite loop in the MySQL dissector, and a large loop in the ETCH dissector.
network
low complexity
debian opensuse wireshark CWE-189
7.8
2013-04-25 CVE-2013-1915 XXE vulnerability in multiple products
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
network
low complexity
trustwave opensuse fedoraproject debian CWE-611
7.5
2013-03-07 CVE-2013-2487 Numeric Errors vulnerability in multiple products
epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet, related to the (1) dissect_icecandidates, (2) dissect_kinddata, (3) dissect_nodeid_list, (4) dissect_storeans, (5) dissect_storereq, (6) dissect_storeddataspecifier, (7) dissect_fetchreq, (8) dissect_findans, (9) dissect_diagnosticinfo, (10) dissect_diagnosticresponse, (11) dissect_reload_messagecontents, and (12) dissect_reload_message functions, a different vulnerability than CVE-2013-2486.
network
low complexity
debian opensuse wireshark CWE-189
7.8