CVSS: 7.5EPSS: 4%CPEs: 61EXPL: 1CVE-2015-4026 – php: pcntl_exec() accepts paths with NUL character
https://notcve.org/view.php?id=CVE-2015-4026
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. La implementación pcntl_exec en PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 trunca un nombre de ruta al encontrar un caracter \x00, lo que podría permitir a atacantes remotos evadir las restricciones de extensión y ejecutar ficheros con nombres no esperados a través de un argumento inicial manipulado. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2006-7243. It was found that certain PHP functions did not properly handle file names containing a NULL character. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00002.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015&# • CWE-19: Data Processing Errors CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 7.5EPSS: 13%CPEs: 54EXPL: 2CVE-2015-4147 – php: SoapClient's __call() type confusion through unserialize()
https://notcve.org/view.php?id=CVE-2015-4147
The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a "type confusion" issue. El método SoapClient::__call en ext/soap/soap.c en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 no verifica que __default_headers es un array, lo que permite a atacantes remotos ejecutar código arbitrario mediante la provisión de datos serializados manipulados con un tipo de datos no esperado, relacionado con un problema de 'confusión de tipo'. A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html http://openwall.com/lists/oss-security/2015/06/01/4 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html http://rhn.redhat.com/errata/RHSA-2015-1066.html http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015-1218.html http://www.oracle.com/technetwork/topics&# • CWE-19: Data Processing Errors CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.0EPSS: 3%CPEs: 54EXPL: 3CVE-2015-4148 – SMF (Simple Machine Forum) 2.0.10 - Remote Memory Exfiltration
https://notcve.org/view.php?id=CVE-2015-4148
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue. La función do_soap_call en ext/soap/soap.c en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 no verifica que la propiedad uri es una cadena, lo que permite a atacantes remotos obtener información sensible mediante la provisión de datos serializados manipulados con un tipo de datos int, relacionados con un problema de 'confusión de tipo'. A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • https://www.exploit-db.com/exploits/38304 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00028.html http://openwall.com/lists/oss-security/2015/06/01/4 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html http://rhn.redhat.com/errata/RHSA-2015-1066.html http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015-1218.html http&# • CWE-20: Improper Input Validation CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2015-5277 – glibc: data corruption while reading the NSS files database
https://notcve.org/view.php?id=CVE-2015-5277
The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database. La función get_contents en nss_files/files-XXX.c en el Name Service Switch (NSS) en GNU C Library (también conocida como glibc o libc6) en versiones anteriores a 2.20 puede permitir a usuarios locales causar una denegación de servicio (corrupción de pila) o ganar privilegios a través de una larga fila en la base de datos de archivos NSS. It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents). A local attacker could potentially use this flaw to execute arbitrary code on the system. Many Cisco devices such as Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, and Cisco 160W suffer from having hard-coded credentials, known GNU glibc, known BusyBox, and IoT Inspector identified vulnerabilities. • http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html http://rhn.redhat.com/errata/RHSA-2015-2172.html http://seclists.org/fulldisclosure/2019/Sep/7 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/78092 http://www.securitytracker.com/id/1034196 http://www.ubuntu.com/usn/USN-2985-1 http://www.ubuntu.com/usn/USN-2985-2 https://bugzilla.redhat.com/show_bug.cgi?id=1262914& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.8EPSS: 3%CPEs: 20EXPL: 0CVE-2015-1863 – wpa_supplicant: P2P SSID processing vulnerability
https://notcve.org/view.php?id=CVE-2015-1863
Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries. Desbordamiento de buffer basado en memoria dinámica en wpa_supplicant 1.0 hasta 2.4 permite a atacantes remotos causar una denegación de servicio (caída), leer la memoria o posiblemente ejecutar código arbitrario a través de información SSID manipulada en un Frame de gestión cuando se crea o actualiza las entradas P2P. A buffer overflow flaw was found in the way wpa_supplicant handled SSID information in the Wi-Fi Direct / P2P management frames. A specially crafted frame could allow an attacker within Wi-Fi radio range to cause wpa_supplicant to crash or, possibly, execute arbitrary code. • http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00000.html http://packetstormsecurity.com/files/131598/Android-wpa_supplicant-Heap-Overflow.html http://rhn.redhat.com/errata/RHSA-2015-1090.html http://seclists.org/fulldisclosure/2015/Apr/82 http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19 http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt http://www.debian.org/security/2015/dsa-3233 http://www.securityfocus.com/archive/1/535353& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •