VYPR

Vendor CVEs

Debian

All CVEs

3,363 total · sorted by risk
  • CVE-2015-8552MedApr 13, 2016
    risk 0.29cvss 4.4epss 0.00

    The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with…

  • CVE-2015-5345MedFeb 25, 2016
    risk 0.29cvss 5.3epss 0.18

    The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that…

  • CVE-2015-5174MedFeb 25, 2016
    risk 0.29cvss 4.3epss 0.13

    Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a…

  • CVE-2014-3690MedNov 10, 2014
    risk 0.29cvss 5.5epss 0.01

    arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system…

  • CVE-2014-3647MedNov 10, 2014
    risk 0.29cvss 5.5epss 0.01

    arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.

  • CVE-2014-3646MedNov 10, 2014
    risk 0.29cvss 5.5epss 0.00

    arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.

  • CVE-2014-3610MedNov 10, 2014
    risk 0.29cvss 5.5epss 0.01

    The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest…

  • CVE-2012-0879MedMay 17, 2012
    risk 0.29cvss 5.5epss 0.00

    The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context.

  • CVE-2020-26932MedOct 10, 2020
    risk 0.28cvss 4.3epss 0.01

    debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)

  • CVE-2019-16910MedSep 26, 2019
    risk 0.28cvss 5.3epss 0.02

    Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times.…

  • CVE-2019-13117MedJul 1, 2019
    risk 0.28cvss 5.3epss 0.06

    In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

  • CVE-2017-17094MedDec 2, 2017
    risk 0.28cvss 5.4epss 0.02

    wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

  • CVE-2017-17093MedDec 2, 2017
    risk 0.28cvss 5.4epss 0.02

    wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.

  • CVE-2017-17092MedDec 2, 2017
    risk 0.28cvss 5.4epss 0.04

    wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.

  • CVE-2017-16804MedNov 13, 2017
    risk 0.28cvss 4.3epss 0.02

    In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages.

  • CVE-2017-5119MedOct 27, 2017
    risk 0.28cvss 4.3epss 0.02

    Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

  • CVE-2017-5118MedOct 27, 2017
    risk 0.28cvss 4.3epss 0.01

    Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, failed to correctly propagate CSP restrictions to javascript scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page.

  • CVE-2017-5109MedOct 27, 2017
    risk 0.28cvss 4.3epss 0.01

    Inappropriate implementation of unload handler handling in permission prompts in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to display UI on a non attacker controlled tab via a crafted HTML page.

  • CVE-2017-5103MedOct 27, 2017
    risk 0.28cvss 4.3epss 0.02

    Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

  • CVE-2017-5102MedOct 27, 2017
    risk 0.28cvss 4.3epss 0.02

    Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

  • CVE-2016-6794MedAug 10, 2017
    risk 0.28cvss 5.3epss 0.07

    When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement…

  • CVE-2017-3651MedAug 8, 2017
    risk 0.28cvss 4.3epss 0.02

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network…

  • CVE-2017-10081MedAug 8, 2017
    risk 0.28cvss 4.3epss 0.02

    Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network…

  • CVE-2017-5046MedApr 24, 2017
    risk 0.28cvss 4.3epss 0.01

    V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android had insufficient policy enforcement, which allowed a remote attacker to spoof the location object via a crafted HTML page, related to Blink information disclosure.

  • CVE-2017-5033MedApr 24, 2017
    risk 0.28cvss 4.3epss 0.01

    Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the…

  • CVE-2017-3464MedApr 24, 2017
    risk 0.28cvss 4.3epss 0.02

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access…

  • CVE-2017-6817MedMar 12, 2017
    risk 0.28cvss 5.4epss 0.02

    In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.

  • CVE-2017-6814MedMar 12, 2017
    risk 0.28cvss 5.4epss 0.03

    In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in…

  • CVE-2017-5610MedJan 30, 2017
    risk 0.28cvss 5.3epss 0.05

    wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.

  • CVE-2016-4428MedJul 12, 2016
    risk 0.28cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.

  • CVE-2016-1658MedApr 18, 2016
    risk 0.28cvss 4.3epss 0.01

    The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted extension.

  • CVE-2016-1657MedApr 18, 2016
    risk 0.28cvss 4.3epss 0.01

    The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 50.0.2661.75 mishandles focus for certain about:blank pages, which allows remote attackers to spoof the address bar via a crafted URL.

  • CVE-2014-6276MedApr 13, 2016
    risk 0.28cvss 4.3epss 0.02

    schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.

  • CVE-2015-8537MedApr 12, 2016
    risk 0.28cvss 5.3epss 0.02

    app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed.

  • CVE-2015-8346MedApr 12, 2016
    risk 0.28cvss 5.3epss 0.02

    app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form.

  • CVE-2016-0706MedFeb 25, 2016
    risk 0.28cvss 4.3epss 0.06

    Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass…

  • CVE-2016-1626MedFeb 14, 2016
    risk 0.28cvss 4.3epss 0.01

    The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, miscalculates a certain layer index value, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document.

  • CVE-2016-1625MedFeb 14, 2016
    risk 0.28cvss 4.3epss 0.01

    The Chrome Instant feature in Google Chrome before 48.0.2564.109 does not ensure that a New Tab Page (NTP) navigation target is on the most-visited or suggestions list, which allows remote attackers to bypass intended restrictions via unspecified vectors, related to…

  • CVE-2015-8629MedFeb 13, 2016
    risk 0.28cvss 5.3epss 0.04

    The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a…

  • CVE-2014-9271MedJan 9, 2015
    risk 0.28cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename.

  • CVE-2017-10268MedOct 19, 2017
    risk 0.27cvss 4.1epss 0.01

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon…

  • CVE-2017-3652MedAug 8, 2017
    risk 0.27cvss 4.2epss 0.01

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access…

  • CVE-2016-0668MedApr 21, 2016
    risk 0.27cvss 4.1epss 0.01

    Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier and MariaDB 10.0.x before 10.0.24 and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to InnoDB.

  • CVE-2026-34757MedApr 9, 2026
    risk 0.26cvss 5.1epss 0.00

    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter…

  • CVE-2017-10295MedOct 19, 2017
    risk 0.26cvss 4.0epss 0.02

    Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows…

  • CVE-2017-1000369MedJun 19, 2017
    risk 0.26cvss 4.0epss 0.01

    Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream…

  • CVE-2017-3318MedJan 27, 2017
    risk 0.26cvss 4.0epss 0.00

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with…

  • CVE-2017-3317MedJan 27, 2017
    risk 0.26cvss 4.0epss 0.00

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Logging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the…

  • CVE-2017-6816MedMar 12, 2017
    risk 0.25cvss 4.9epss 0.03

    In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

  • CVE-2016-3159LowApr 13, 2016
    risk 0.25cvss 3.8epss 0.00

    The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending…

Page 38 of 68