Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2016-04-13 CVE-2016-2056 Command Injection vulnerability in multiple products
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
network
low complexity
xymon debian CWE-77
8.8
2016-04-13 CVE-2016-2055 Information Exposure vulnerability in multiple products
xymond/xymond.c in xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote attackers to read arbitrary files in the configuration directory via a "config" command.
network
low complexity
xymon debian CWE-200
7.5
2016-04-13 CVE-2015-8080 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow.
network
low complexity
redislabs debian opensuse redhat CWE-190
7.5
2016-04-12 CVE-2016-2118 7PK - Security Features vulnerability in multiple products
The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."
network
high complexity
samba canonical debian CWE-254
7.5
2016-04-12 CVE-2016-3171 Data Processing Errors vulnerability in multiple products
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
network
high complexity
drupal debian CWE-19
8.1
2016-04-12 CVE-2016-3169 Permissions, Privileges, and Access Controls vulnerability in multiple products
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
network
high complexity
debian drupal CWE-264
8.1
2016-04-12 CVE-2016-3167 Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
network
low complexity
drupal debian
7.4
2016-04-12 CVE-2016-3164 Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
network
low complexity
drupal debian
7.4
2016-04-12 CVE-2016-3163 7PK - Security Features vulnerability in multiple products
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
network
low complexity
debian drupal CWE-254
7.5
2016-04-12 CVE-2016-3162 Improper Access Control vulnerability in multiple products
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
network
low complexity
drupal debian CWE-284
8.1