VYPR

Vendor CVEs

GNOME Foundation

All CVEs

412 total · sorted by risk
  • CVE-2019-11460Apr 22, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the…

  • CVE-2019-11459Apr 22, 2019
    risk 0.00cvss epss 0.01

    The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.

  • CVE-2011-1830Apr 22, 2019
    risk 0.00cvss epss 0.01

    Ekiga versions before 3.3.0 attempted to load a module from /tmp/ekiga_test.so.

  • CVE-2019-3827Mar 25, 2019
    risk 0.00cvss epss 0.00

    An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious…

  • CVE-2019-9633Mar 8, 2019
    risk 0.00cvss epss 0.02

    gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application…

  • CVE-2017-12447Mar 7, 2019
    risk 0.00cvss epss 0.01

    GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.

  • CVE-2018-15587Feb 11, 2019
    risk 0.00cvss epss 0.02

    GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.

  • CVE-2019-3820Feb 6, 2019
    risk 0.00cvss epss 0.01

    It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions.

  • CVE-2019-3825Feb 6, 2019
    risk 0.00cvss epss 0.01

    A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session.

  • CVE-2018-20430Dec 24, 2018
    risk 0.00cvss epss 0.02

    GNU Libextractor through 1.8 has an out-of-bounds read vulnerability in the function history_extract() in plugins/ole2_extractor.c, related to EXTRACTOR_common_convert_to_utf8 in common/convert.c.

  • CVE-2018-19358Nov 18, 2018
    risk 0.00cvss epss 0.01

    GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms…

  • CVE-2008-7320Nov 18, 2018
    risk 0.00cvss epss 0.00

    GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision

  • CVE-2018-18718Oct 28, 2018
    risk 0.00cvss epss 0.00

    An issue was discovered in gThumb through 3.6.2. There is a double-free vulnerability in the add_themes_from_dir method in dlg-contact-sheet.c because of two successive calls of g_free, each of which frees the same buffer.

  • CVE-2018-12713CriJun 24, 2018
    risk 0.00cvss 9.1epss 0.02

    GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read…

  • CVE-2018-1000041HigFeb 9, 2018
    risk 0.00cvss 8.8epss 0.02

    GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear…

  • CVE-2015-7496Nov 24, 2015
    risk 0.00cvss epss 0.00

    GNOME Display Manager (gdm) before 3.18.2 allows physically proximate attackers to bypass the lock screen by holding the Escape key.

  • CVE-2015-7942Nov 18, 2015
    risk 0.00cvss epss 0.05

    The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a…

  • CVE-2015-7941Nov 18, 2015
    risk 0.00cvss epss 0.03

    libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as…

  • CVE-2015-0272Nov 17, 2015
    risk 0.00cvss epss 0.05

    GNOME NetworkManager allows remote attackers to cause a denial of service (IPv6 traffic disruption) via a crafted MTU value in an IPv6 Router Advertisement (RA) message, a different vulnerability than CVE-2015-8215.

  • CVE-2015-7674Oct 26, 2015
    risk 0.00cvss epss 0.06

    Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer…

  • CVE-2015-7673Oct 26, 2015
    risk 0.00cvss epss 0.05

    io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its allocation failed, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file.

  • CVE-2015-2785Mar 29, 2015
    risk 0.00cvss epss 0.03

    The GIF encoder in Byzanz allows remote attackers to cause a denial of service (out-of-bounds heap write and crash) or possibly execute arbitrary code via a crafted Byzanz debug data recording (ByzanzRecording file) to the byzanz-playback command.

  • CVE-2014-8154Jan 27, 2015
    risk 0.00cvss epss 0.03

    The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a…

  • CVE-2014-1949Jan 16, 2015
    risk 0.00cvss epss 0.00

    GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.

  • CVE-2015-0552Jan 15, 2015
    risk 0.00cvss epss 0.03

    Directory traversal vulnerability in the gcab_folder_extract function in libgcab/gcab-folder.c in gcab 0.4 allows remote attackers to write to arbitrary files via crafted path in a CAB file, as demonstrated by "\tmp\moo."

  • CVE-2014-7300Dec 25, 2014
    risk 0.00cvss epss 0.00

    GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc…

  • CVE-2014-5444Sep 30, 2014
    risk 0.00cvss epss 0.01

    Geary before 0.6.3 does not present the user with a warning when a TLS certificate error is detected, which makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

  • CVE-2011-2198May 21, 2014
    risk 0.00cvss epss 0.02

    The "insert-blank-characters" capability in caps.c in gnome-terminal (vte) before 0.28.1 allows remote authenticated users to cause a denial of service (CPU and memory consumption and crash) via a crafted file, as demonstrated by a file containing the string…

  • CVE-2013-7273Apr 29, 2014
    risk 0.00cvss epss 0.00

    GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name.

  • CVE-2013-7221Apr 29, 2014
    risk 0.00cvss epss 0.00

    The automatic screen lock functionality in GNOME Shell (aka gnome-shell) before 3.10 does not prevent access to the "Enter a Command" dialog, which allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation.

  • CVE-2013-7220Apr 29, 2014
    risk 0.00cvss epss 0.00

    js/ui/screenShield.js in GNOME Shell (aka gnome-shell) before 3.8 allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation with the keyboard focus on the Activities search.

  • CVE-2013-1853Jan 24, 2014
    risk 0.00cvss epss 0.00

    Almanah Diary 0.9.0 and 0.10.0 does not encrypt the database when closed, which allows local users to obtain sensitive information by reading the database.

  • CVE-2013-6836Dec 19, 2013
    risk 0.00cvss epss 0.02

    Heap-based buffer overflow in the ms_escher_get_data function in plugins/excel/ms-escher.c in GNOME Office Gnumeric before 1.12.9 allows remote attackers to cause a denial of service (crash) via a crafted xls file with a crafted length value.

  • CVE-2013-1881Oct 10, 2013
    risk 0.00cvss epss 0.03

    GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

  • CVE-2013-4169Sep 10, 2013
    risk 0.00cvss epss 0.00

    GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/.

  • CVE-2013-1969Apr 25, 2013
    risk 0.00cvss epss 0.04

    Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as…

  • CVE-2013-1799Apr 2, 2013
    risk 0.00cvss epss 0.01

    Gnome Online Accounts (GOA) 3.6.x before 3.6.3 and 3.7.x before 3.7.91, does not properly validate SSL certificates when creating accounts for providers who use the libsoup library, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by…

  • CVE-2013-0240Apr 2, 2013
    risk 0.00cvss epss 0.01

    Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as…

  • CVE-2011-1165Mar 12, 2013
    risk 0.00cvss epss 0.02

    Vino, possibly before 3.2, does not properly document that it opens ports in UPnP routers when the "Configure network to automatically accept connections" setting is enabled, which might make it easier for remote attackers to perform further attacks.

  • CVE-2011-1164Mar 12, 2013
    risk 0.00cvss epss 0.02

    Vino before 2.99.4 can connect external networks contrary to the statement in the vino-preferences dialog box, which might make it easier for remote attackers to perform attacks.

  • CVE-2013-1050Mar 8, 2013
    risk 0.00cvss epss 0.00

    The default configuration in gnome-screensaver 3.5.4 through 3.6.0 sets the AutostartCondition line to fallback mode in the .desktop file, which prevents the program from starting automatically after login and allows physically proximate attackers to bypass screen locking and…

  • CVE-2011-3201Mar 8, 2013
    risk 0.00cvss epss 0.03

    GNOME Evolution before 3.2.3 allows user-assisted remote attackers to read arbitrary files via the attachment parameter to a mailto: URL, which attaches the file to the email.

  • CVE-2010-2387Dec 21, 2012
    risk 0.00cvss epss 0.01

    vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.

  • CVE-2012-5134Nov 28, 2012
    risk 0.00cvss epss 0.04

    Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted…

  • CVE-2011-5244Nov 19, 2012
    risk 0.00cvss epss 0.03

    Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code…

  • CVE-2011-0433Nov 19, 2012
    risk 0.00cvss epss 0.04

    Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted…

  • CVE-2012-4511Oct 22, 2012
    risk 0.00cvss epss 0.02

    services/flickr/flickr.c in libsocialweb before 0.25.21 automatically connects to Flickr when no Flickr account is set, which might allow remote attackers to obtain sensitive information via a man-in-the-middle (MITM) attack.

  • CVE-2012-3466Oct 22, 2012
    risk 0.00cvss epss 0.00

    GNOME gnome-keyring 3.4.0 through 3.4.1, when gpg-cache-method is set to "idle" or "timeout," does not properly limit the amount of time a passphrase is cached, which allows attackers to have an unspecified impact via unknown attack vectors.

  • CVE-2011-4129Oct 22, 2012
    risk 0.00cvss epss 0.02

    (1) services/twitter/twitter-contact-view.c and (2) services/twitter/twitter-item-view.c in libsocialweb before 0.25.20 automatically connect to Twitter when no Twitter account is set, which might allow remote attackers to obtain sensitive information via a man-in-the-middle…

  • CVE-2012-4427Oct 1, 2012
    risk 0.00cvss epss 0.01

    The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force the download and installation of arbitrary extensions from extensions.gnome.org via a crafted web page.

Page 6 of 9