VYPR

Vendor CVEs

OpenSUSE

All CVEs

1,697 total · sorted by risk
  • CVE-2013-3709Dec 23, 2013
    risk 0.00cvss epss 0.00

    WebYaST 1.3 uses weak permissions for config/initializers/secret_token.rb, which allows local users to gain privileges by reading the Rails secret token from this file.

  • CVE-2013-4587Dec 14, 2013
    risk 0.00cvss epss 0.01

    Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.

  • CVE-2013-6394Dec 13, 2013
    risk 0.00cvss epss 0.00

    Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.

  • CVE-2013-0348Dec 13, 2013
    risk 0.00cvss epss 0.01

    thttpd.c in sthttpd before 2.26.4-r2 and thttpd 2.25b use world-readable permissions for /var/log/thttpd.log, which allows local users to obtain sensitive information by reading the file.

  • CVE-2013-6672Dec 11, 2013
    risk 0.00cvss epss 0.03

    Mozilla Firefox before 26.0 and SeaMonkey before 2.23 on Linux allow user-assisted remote attackers to read clipboard data by leveraging certain middle-click paste operations.

  • CVE-2013-5619Dec 11, 2013
    risk 0.00cvss epss 0.04

    Multiple integer overflows in the binary-search implementation in SpiderMonkey in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 might allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted…

  • CVE-2013-5614Dec 11, 2013
    risk 0.00cvss epss 0.02

    Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restrictions via a crafted web site.

  • CVE-2013-5612Dec 11, 2013
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type…

  • CVE-2013-5611Dec 11, 2013
    risk 0.00cvss epss 0.02

    Mozilla Firefox before 26.0 does not properly remove the Application Installation doorhanger, which makes it easier for remote attackers to spoof a Web App installation site by controlling the timing of page navigation.

  • CVE-2013-1090Dec 6, 2013
    risk 0.00cvss epss 0.00

    The SUSE horde5 package before 5.0.2-2.4.1 sets incorrect ownership for certain configuration files and directories including /etc/apache2/vhosts.d, which allows local wwwrun users to gain privileges via unspecified vectors.

  • CVE-2012-0427Dec 2, 2013
    risk 0.00cvss epss 0.00

    yast2-add-on-creator in SUSE inst-source-utils 2008.11.26 before 2008.11.26-0.9.1 and 2012.9.13 before 2012.9.13-0.8.1 allows local users to gain privileges via a crafted (1) file name or (2) directory name.

  • CVE-2012-0425Dec 2, 2013
    risk 0.00cvss epss 0.01

    LanItems.ycp in save_y2logs in yast2-network before 2.24.4 in SUSE YaST writes cleartext Wi-Fi credentials to the y2log log file, which allows context-dependent attackers to obtain sensitive information by reading the (1) WIRELESS_WPA_PASSWORD or (2) WIRELESS_CLIENT_KEY_PASSWORD…

  • CVE-2012-0420Dec 2, 2013
    risk 0.00cvss epss 0.00

    zypp-refresh-wrapper in SUSE Zypper before 1.3.20 and 1.6.x before 1.6.166 allows local users to create files in arbitrary directories, or possibly have unspecified other impact, via a pathname in the ZYPP_LOCKFILE_ROOT environment variable.

  • CVE-2013-6712Nov 28, 2013
    risk 0.00cvss epss 0.05

    The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.

  • CVE-2013-4509Nov 23, 2013
    risk 0.00cvss epss 0.00

    The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the…

  • CVE-2013-0223Nov 23, 2013
    risk 0.00cvss epss 0.01

    The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the join command, when using the -i switch, which triggers a stack-based buffer overflow in the alloca function.

  • CVE-2013-0222Nov 23, 2013
    risk 0.00cvss epss 0.00

    The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the uniq command, which triggers a stack-based buffer overflow in the alloca function.

  • CVE-2013-6858Nov 23, 2013
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page.

  • CVE-2013-6375Nov 23, 2013
    risk 0.00cvss epss 0.01

    Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an…

  • CVE-2013-4560Nov 20, 2013
    risk 0.00cvss epss 0.05

    Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures.

  • CVE-2013-4487Nov 20, 2013
    risk 0.00cvss epss 0.02

    Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. NOTE: this issue is due to an…

  • CVE-2013-1418Nov 18, 2013
    risk 0.00cvss epss 0.06

    The setup_server_realm function in main.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.7, when multiple realms are configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request.

  • CVE-2013-2061Nov 18, 2013
    risk 0.00cvss epss 0.03

    The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on…

  • CVE-2013-6621Nov 13, 2013
    risk 0.00cvss epss 0.02

    Use-after-free vulnerability in Google Chrome before 31.0.1650.48 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the x-webkit-speech attribute in a text INPUT element.

  • CVE-2013-2065Nov 2, 2013
    risk 0.00cvss epss 0.03

    (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

  • CVE-2013-4885Oct 26, 2013
    risk 0.00cvss epss 0.07

    The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.

  • CVE-2013-2190Oct 17, 2013
    risk 0.00cvss epss 0.01

    The translate_hierarchy_event function in x11/clutter-device-manager-xi2.c in Clutter, when resuming the system, does not properly handle XIQueryDevice errors when a device has "disappeared," which causes the gnome-shell to crash and allows physically proximate attackers to…

  • CVE-2013-4389Oct 17, 2013
    risk 0.00cvss epss 0.03

    Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction…

  • CVE-2013-2927Oct 16, 2013
    risk 0.00cvss epss 0.02

    Use-after-free vulnerability in the HTMLFormElement::prepareForSubmission function in core/html/HTMLFormElement.cpp in Blink, as used in Google Chrome before 30.0.1599.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors…

  • CVE-2013-4344Oct 4, 2013
    risk 0.00cvss epss 0.00

    Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.

  • CVE-2013-4288Oct 3, 2013
    risk 0.00cvss epss 0.00

    Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus…

  • CVE-2013-2919Oct 2, 2013
    risk 0.00cvss epss 0.02

    Google V8, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

  • CVE-2013-0211Sep 30, 2013
    risk 0.00cvss epss 0.04

    Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an…

  • CVE-2013-2217Sep 23, 2013
    risk 0.00cvss epss 0.01

    cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.

  • CVE-2013-4132Sep 16, 2013
    risk 0.00cvss epss 0.02

    KDE-Workspace 4.10.5 and earlier does not properly handle the return value of the glibc 2.17 crypt and pw_encrypt functions, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via (1) an invalid salt or a (2) DES or (3) MD5 encrypted…

  • CVE-2013-5589Aug 29, 2013
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2013-5588Aug 29, 2013
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php.

  • CVE-2013-5018Aug 28, 2013
    risk 0.00cvss epss 0.03

    The is_asn1 function in strongSwan 4.1.11 through 5.0.4 does not properly validate the return value of the asn1_length function, which allows remote attackers to cause a denial of service (segmentation fault) via a (1) XAuth username, (2) EAP identity, or (3) PEM encoded file…

  • CVE-2013-4111Aug 28, 2013
    risk 0.00cvss epss 0.01

    The Python client library for Glance (python-glanceclient) before 0.10.0 does not properly check the preverify_ok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate…

  • CVE-2013-3495Aug 28, 2013
    risk 0.00cvss epss 0.00

    The Intel VT-d Interrupt Remapping engine in Xen 3.3.x through 4.3.x allows local guests to cause a denial of service (kernel panic) via a malformed Message Signaled Interrupt (MSI) from a PCI device that is bus mastering capable that triggers a System Error Reporting (SERR)…

  • CVE-2013-2161Aug 20, 2013
    risk 0.00cvss epss 0.02

    XML injection vulnerability in account/utils.py in OpenStack Swift Folsom, Grizzly, and Havana allows attackers to trigger invalid or spoofed Swift responses via an account name.

  • CVE-2013-5029Aug 19, 2013
    risk 0.00cvss epss 0.02

    phpMyAdmin 3.5.x and 4.0.x before 4.0.5 allows remote attackers to bypass the clickjacking protection mechanism via certain vectors related to Header.class.php.

  • CVE-2013-4852Aug 19, 2013
    risk 0.00cvss epss 0.03

    Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and other products that use PuTTY allows remote SSH servers to cause a denial of service (crash) and possibly execute arbitrary code in certain applications that use PuTTY via a negative size value in an RSA key…

  • CVE-2013-4242Aug 19, 2013
    risk 0.00cvss epss 0.01

    GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

  • CVE-2013-2145Aug 19, 2013
    risk 0.00cvss epss 0.01

    The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a "special unknown cipher" that references an untrusted module in Digest/.

  • CVE-2013-1872Aug 19, 2013
    risk 0.00cvss epss 0.03

    The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d graphics that trigger an out-of-bounds array access, related to the…

  • CVE-2013-4238Aug 18, 2013
    risk 0.00cvss epss 0.05

    The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a…

  • CVE-2013-2132Aug 15, 2013
    risk 0.00cvss epss 0.03

    bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an "invalid DBRef."

  • CVE-2013-2126Aug 14, 2013
    risk 0.00cvss epss 0.04

    Multiple double free vulnerabilities in the LibRaw::unpack function in libraw_cxx.cpp in LibRaw before 0.15.2 allow context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed full-color (1) Foveon or (2) sRAW…

  • CVE-2013-2174Jul 31, 2013
    risk 0.00cvss epss 0.11

    Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent)…

Page 27 of 34