CVSS: 5.0EPSS: 0%CPEs: 60EXPL: 1CVE-2015-2348 – php: move_uploaded_file() NUL byte injection in file name
https://notcve.org/view.php?id=CVE-2015-2348
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. La implementación move_uploaded_file en ext/standard/basic_functions.c en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 trunca un nombre de ruta al encontrar un caracter \x00, lo que permite a atacantes remotos evadir las restricciones de extensiones y crear ficheros con nombres no esperados a través de un segundo argumento manipulado. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2006-7243. It was found that PHP move_uploaded_file() function did not properly handle file names with a NULL character. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00015.html http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html • CWE-264: Permissions, Privileges, and Access Controls CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 7.5EPSS: 9%CPEs: 66EXPL: 1CVE-2015-2787 – php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re
https://notcve.org/view.php?id=CVE-2015-2787
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. Vulnerabilidad de uso después de liberación en la función process_nested_data en ext/standard/var_unserializer.re en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 permite a atacantes remotos ejecutar código arbitrario a través de una llamada no serializada manipulada que aprovecha el uso de la función unset dentro de una función __wakeup, un problema relacionado con CVE-2015-0231. A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00015.html http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html http:// • CWE-416: Use After Free •
CVSS: 7.5EPSS: 1%CPEs: 17EXPL: 2CVE-2015-2301 – php: use after free in phar_object.c
https://notcve.org/view.php?id=CVE-2015-2301
Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. Vulnerabilidad de uso después de liberación en la función phar_rename_archive en phar_object.c en PHP anterior a 5.5.22 y 5.6.x anterior a 5.6.6 permite a atacantes remotos causar una denegación de servicio o posiblemente tener otro impacto no especificado a través de vectores que provocan un intento de renombrar un archivo Phar al nombre de un fichero existente. A use-after-free flaw was found in PHP's phar (PHP Archive) paths implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=b2cf3f064b8f5efef89bb084521b61318c71781b http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html http://marc.info/?l=bugtraq&m=143403519711434&w=2 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://openwall.com/lists/oss- • CWE-416: Use After Free •
CVSS: 7.5EPSS: 1%CPEs: 24EXPL: 1CVE-2014-9657 – freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://notcve.org/view.php?id=CVE-2014-9657
The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. La función tt_face_load_hdmx en truetype/ttpload.c en FreeType anterior a 2.5.4 no establece un tamaño de registro mínimo, lo que permite a atacantes remotos causar una denegación de servicio (lectura fuera de rango) o posiblemente tener otro impacto no especificado a través de una fuente TrueType manipulada. • http://advisories.mageia.org/MGASA-2015-0083.html http://code.google.com/p/google-security-research/issues/detail?id=195 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=eca0f067068020870a429fe91f6329e499390d55 http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150148.html http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00091.html http://rhn.redhat.com/errata/RHSA-2015-0696.html • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 1%CPEs: 24EXPL: 1CVE-2014-9658 – freetype: buffer over-read and integer underflow in tt_face_load_kern()
https://notcve.org/view.php?id=CVE-2014-9658
The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. La función tt_face_load_kern en sfnt/ttkern.c en FreeType anterior a 2.5.4 fuerza una longitud de tabla mínima incorrecta, lo que permite a atacantes remotos causar una denegación de servicio (lectura fuera de rango) o posiblemente tener otro impacto no especificado a través de una fuente TrueType manipulada. • http://advisories.mageia.org/MGASA-2015-0083.html http://code.google.com/p/google-security-research/issues/detail?id=194 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150148.html http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00091.html http://rhn.redhat.com/errata/RHSA-2015-0696.html • CWE-125: Out-of-bounds Read •