Page 22 of 185 results (0.008 seconds)

CVSS: 7.5EPSS: 0%CPEs: 85EXPL: 0

CVE-2016-2216 – Node.js HTTP Response Splitting

https://notcve.org/view.php?id=CVE-2016-2216

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a. El código de interpretacción de cabecera HTTP en Node.js 0.10.x en versiones anteriores a 0.10.42, 0.11.6 hasta la versión 0.11.16, 0.12.x en versiones anteriores a 0.12.10, 4.x en versiones anteriores a 4.3.0 y 5.x en versiones anteriores a 5.6.0 permite a atacantes remotos eludir un mecanismo de protección de separación de respuesta HTTP a través de caracteres Unicode codificados en UTF-8 en la cabecera HTTP, según lo demonstrado mediante %c4%8d%c4%8a. Node.js suffers from an HTTP response splitting vulnerability. Node.js versions 5.6.0, 4.3.0, 0.12.10, and 0.10.42 contain a fix for this vulnerability. • http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis http://info.safebreach.com/hubfs/Node-js-Response-Splitting.pdf http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html http://packetstormsecurity.com/files/135711/Node.js-HTTP-Response-Splitting.html http://www.securityfocus.com/bid/83141 https://nodejs.org/en/blog/vulnerability/february-2016-security-re • CWE-20: Improper Input Validation •

CVSS: 7.7EPSS: 0%CPEs: 19EXPL: 0

CVE-2015-8567

https://notcve.org/view.php?id=CVE-2015-8567

Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption). La pérdida de memoria en net/vmxnet3.c en QEMU permite a atacantes remotos provocar una denegación de servicio (consumo de memoria). • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176503.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176558.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175967.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176300.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00012.html http://lists.opensuse.org/opensuse-secu • CWE-401: Missing Release of Memory after Effective Lifetime •

CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0

CVE-2016-0753 – rubygem-activerecord: possible input validation circumvention in Active Model

https://notcve.org/view.php?id=CVE-2016-0753

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo que permite a atacantes remotos eludir los pasos destinados a la validación a través de parámetros manipulados. A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html http://lists.opensuse.org/opens • CWE-20: Improper Input Validation •

CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 1

CVE-2016-1926

https://notcve.org/view.php?id=CVE-2016-1926

Cross-site scripting (XSS) vulnerability in the charts module in Greenbone Security Assistant (GSA) 6.x before 6.0.8 allows remote attackers to inject arbitrary web script or HTML via the aggregate_type parameter in a get_aggregate command to omp. Vulnerabilidad de XSS en el módulo charts en Greenbone Security Assistant (GSA) 6.x en versiones anteriores a 6.0.8 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro aggregate_type en un comando get_aggregate para omp. • http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183371.html http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184478.html http://packetstormsecurity.com/files/135328/OpenVAS-Greenbone-Security-Assistant-Cross-Site-Scripting.html http://www.greenbone.net/technology/gbsa2016-01.html http://www.openvas.org/OVSA20160113.html http://www.securityfocus.com/archive/1/537335/100/0/threaded https://en.internetwache.org/cve-2016-1926-xss-in-the-greenbone-security-assistant-20-01-2016 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.4EPSS: 0%CPEs: 12EXPL: 0

CVE-2016-1572

https://notcve.org/view.php?id=CVE-2016-1572

mount.ecryptfs_private.c in eCryptfs-utils does not validate mount destination filesystem types, which allows local users to gain privileges by mounting over a nonstandard filesystem, as demonstrated by /proc/$pid. mount.ecryptfs_private.c en eCryptfs-utils no valida el destino de montaje de los tipos de archivos de sistema, lo que permite a usuarios locales obtener privilegios mediante el montaje sobre un sistema de archivos no estándar, según lo demostrado por /proc/$pid. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177359.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177396.html http://lists.opensuse.org/opensuse-updates/2016-01/msg00091.html http://lists.opensuse.org/opensuse-updates/2016-01/msg00118.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00004.html http://www.debian.org/security/2016/dsa-3450 http://www.openwall.com/lists/oss-security/2016/01/20/6 http://www.securitytracker.com • CWE-269: Improper Privilege Management •