Threat Intelligence

CVE-2019-9850 (v3: 9.8) 15 Aug 2019

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

CVE-2019-9851 (v3: 9.8) 15 Aug 2019

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

CVE-2018-12367 (v3: 4.3) 18 Oct 2018

In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.

CVE-2018-17141 (v3: 9.8) 21 Sept 2018

HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData() in the faxd/CopyQuality.c++ file.

CVE-2018-17183 (v3: 7.8) 19 Sept 2018

Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code.

CVE-2018-16657 (v3: 9.8) 7 Sept 2018

In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with an invalid Via header causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the crcitt_string_array core function for calculating a CRC hash for To tags. (An additional error is present in the check_via_address core function: this function also misses input validation.) This could result in denial of service and potentially the execution of arbitrary code.

CVE-2018-10929 (v3: 8.8) 4 Sept 2018

A flaw was found in RPC request using gfs2_create_req in glusterfs server. An authenticated attacker could use this flaw to create arbitrary files and execute arbitrary code on glusterfs server nodes.

CVE-2018-14767 (v3: 9.8) 31 Jul 2018

In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with a double "To" header and an empty "To" tag causes a segmentation fault and crash. The reason is missing input validation in the "build_res_buf_from_sip_req" core function. This could result in denial of service and potentially the execution of arbitrary code.

CVE-2018-14349 (v3: 9.8) 17 Jul 2018

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message.

CVE-2018-14351 (v3: 9.8) 17 Jul 2018

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size.

CVE-2018-14361 (v3: 9.8) 17 Jul 2018

An issue was discovered in NeoMutt before 2018-07-16. nntp.c proceeds even if memory allocation fails for messages data.

CVE-2018-5130 (v3: 8.8) 11 Jun 2018

When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59.

CVE-2017-7791 (v3: 5.3) 11 Jun 2018

On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

CVE-2017-7807 (v3: 8.1) 11 Jun 2018

A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

CVE-2017-5383 (v3: 5.3) 11 Jun 2018

URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.

CVE-2017-7825 (v3: 5.3) 11 Jun 2018

Several fonts on OS X display some Tibetan and Arabic characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.

CVE-2017-12176 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing extra length validation in ProcEstablishConnection function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12178 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 had wrong extra length check in ProcXIChangeHierarchy function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12180 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in XFree86 VidModeExtension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12181 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in XFree86 DGA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12182 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in XFree86 DRI extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12183 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in XFIXES extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12184 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in XINERAMA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12185 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in MIT-SCREEN-SAVER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12186 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in X-Resource extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-12187 (v3: 9.8) 24 Jan 2018

xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CVE-2017-13704 (v3: 7.5) 3 Oct 2017

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash.

CVE-2016-10243 (v3: 9.8) 2 May 2017

TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.

CVE-2016-6128 (v3: 7.5) 7 Aug 2016

The gdImageCropThreshold function in gd_crop.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before 7.0.9, allows remote attackers to cause a denial of service (application crash) via an invalid color index.

CVE-2016-4324 (v3: 7.8) 8 Jul 2016

Use-after-free vulnerability in LibreOffice before 5.1.4 allows remote attackers to execute arbitrary code via a crafted RTF file, related to stylesheet and superscript tokens.

CVE-2016-4449 (v3: 7.1) 9 Jun 2016

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

CVE-2016-2194 (v3: 7.5) 13 May 2016

The ressol function in Botan before 1.10.11 and 1.11.x before 1.11.27 allows remote attackers to cause a denial of service (infinite loop) via unspecified input to the OS2ECP function, related to a composite modulus.

CVE-2016-1654 (v3: 6.5) 18 Apr 2016

The media subsystem in Google Chrome before 50.0.2661.75 does not initialize an unspecified data structure, which allows remote attackers to cause a denial of service (invalid read operation) via unknown vectors.

CVE-2016-3068 (v3: 8.8) 13 Apr 2016

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.

CVE-2016-2381 (v3: 6.5) 8 Apr 2016

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2016-2098 (v3: 7.3) 7 Apr 2016

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

CVE-2016-2270 (v3: 6.8) 19 Feb 2016

Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.

CVE-2015-7558 (v3: 7.5) 20 May 2016

librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document.

CVE-2015-8702 (v3: 8.6) 12 Apr 2016

The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 allows remote DNS servers to cause a denial of service (netsplit) via an invalid character in a PTR response, as demonstrated by a "\032" (whitespace) character in a hostname.

CVE-2015-8476 (v2: 5) 16 Dec 2015

Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.

CVE-2015-4652 (v2: 4.3) 22 Jul 2015

epan/dissectors/packet-gsm_a_dtap.c in the GSM DTAP dissector in Wireshark 1.12.x before 1.12.6 does not properly validate digit characters, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to the de_emerg_num_list and de_bcd_num functions.

CVE-2015-1261 (v2: 5) 20 May 2015

android/java/src/org/chromium/chrome/browser/WebsiteSettingsPopup.java in Google Chrome before 43.0.2357.65 on Android does not properly restrict use of a URL's fragment identifier during construction of a page-info popup, which allows remote attackers to spoof the URL bar or deliver misleading popup content via crafted text.

CVE-2015-2753 (v2: 6.8) 31 Mar 2015

FreeXL before 1.0.0i allows remote attackers to cause a denial of service (stack corruption) or possibly execute arbitrary code via a crafted sector in a workbook.

CVE-2015-2776 (v2: 4.3) 31 Mar 2015

The parse_SST function in FreeXL before 1.0.0i allows remote attackers to cause a denial of service (memory consumption) via a crafted shared strings table in a workbook.

CVE-2015-0252 (v2: 5) 24 Mar 2015

internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data.

CVE-2015-1782 (v2: 6.8) 13 Mar 2015

The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.

CVE-2015-1382 (v2: 5) 3 Feb 2015

parsers.c in Privoxy before 3.0.23 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to an HTTP time header.