CVSS: 5.5EPSS: 0%CPEs: 22EXPL: 0CVE-2016-9401 – bash: popd controlled free
https://notcve.org/view.php?id=CVE-2016-9401
02 Jan 2017 — popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address. popd en bash podrían permitir a usuarios locales eludir el shell restringido y provocar un uso después de liberación de memoria a través de una dirección manipulada. A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. The bash packages provi... • http://rhn.redhat.com/errata/RHSA-2017-0725.html • CWE-416: Use After Free •
CVSS: 7.5EPSS: 11%CPEs: 27EXPL: 0CVE-2016-8743 – httpd: Apache HTTP Request Parsing Whitespace Defects
https://notcve.org/view.php?id=CVE-2016-8743
25 Dec 2016 — Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. El servidor HTTP Apache, en todas las distribuciones... • http://rhn.redhat.com/errata/RHSA-2017-1415.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 33%CPEs: 92EXPL: 0CVE-2016-7426 – ntp: Client rate limiting and server responses
https://notcve.org/view.php?id=CVE-2016-7426
21 Dec 2016 — NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address. NTP en versiones anteriores a 4.2.8p9 limita la clasificación de respuestas recibidas desde las fuentes configuradas cuando la limitación de clasificación para todas las asociaciones está habilitado, lo que permite a atacantes remotos... • http://nwtime.org/ntp428p9_release • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 13%CPEs: 18EXPL: 0CVE-2016-2125 – samba: Unconditional privilege delegation to Kerberos servers in trusted realms
https://notcve.org/view.php?id=CVE-2016-2125
19 Dec 2016 — It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. Se ha descubierto que Samba, en versiones anteriores a la 4.5.3, 4.4.8 y 4.3.13, siempre solicitaba tickets que podían reenviarse al emplear la autenticación de Kerberos. Un servicio al que Samba se ha autenticado con Kerberos podría ... • http://rhn.redhat.com/errata/RHSA-2017-0494.html • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 3%CPEs: 21EXPL: 0CVE-2016-9893 – Mozilla: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 (MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9893
14 Dec 2016 — Memory safety bugs were reported in Thunderbird 45.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Se han reportado errores de seguridad de memoria en Thunderbird 45.5. Algunos de estos errores mostraron evidencias de corrupción de memoria y se entiende que, con el suficiente esfuerzo, algunos de estos podrían ex... • http://rhn.redhat.com/errata/RHSA-2016-2946.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.1EPSS: 0%CPEs: 21EXPL: 1CVE-2016-9895 – Mozilla: CSP bypass using marquee tag (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9895
14 Dec 2016 — Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Los gestores de eventos en los elementos "marquee" se ejecutaron a pesar de que existe un CSP (Content Security Policy) estricto que prohibía el JavaScript inline. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbir... • http://rhn.redhat.com/errata/RHSA-2016-2946.html • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 3%CPEs: 21EXPL: 1CVE-2016-9898 – Mozilla: Use-after-free in Editor while manipulating DOM subtrees (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9898
14 Dec 2016 — Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Uso de memoria previamente liberada que resulta en un cierre inesperado potencialmente explotable al manipular subárboles DOM en el Editor. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbird en versiones anteriores a la 45.6. Multiple memory ... • http://rhn.redhat.com/errata/RHSA-2016-2946.html • CWE-416: Use After Free •
CVSS: 9.8EPSS: 38%CPEs: 22EXPL: 3CVE-2016-9899 – Mozilla Firefox < 50.1.0 - Use-After-Free
https://notcve.org/view.php?id=CVE-2016-9899
14 Dec 2016 — Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Uso de memoria previamente liberada al manipular eventos DOM y eliminar elementos de audio debido a errores en la gestión de la adopción de nodos. La vulnerabilidad afecta a Firefox en versiones anteriores a la 50.1, Firefox ESR en versiones anteriores a la 45.6 y Thunderbird en versiones anteriores a l... • https://packetstorm.news/files/id/140491 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 1%CPEs: 21EXPL: 1CVE-2016-9900 – Mozilla: Restricted external resources can be loaded by SVG images through data URLs (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9900
14 Dec 2016 — External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Los recursos externos que deberían estar bloqueados al ser cargados por imágenes SVG pueden omitir restricciones de seguridad mediante el uso de URL "data:". Esto podría permitir el filtrado de datos Cross-Domain. • http://rhn.redhat.com/errata/RHSA-2016-2946.html • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 2%CPEs: 16EXPL: 0CVE-2016-9901 – Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)
https://notcve.org/view.php?id=CVE-2016-9901
14 Dec 2016 — HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" (unprivileged) page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1. Las etiquetas HTML recibidas del servidor Pocket serán procesadas sin sanear y cualquier código JavaScript que se ejecute lo hará en la página "about:pocket-saved" (sin privilegios), concediéndole acceso ... • http://rhn.redhat.com/errata/RHSA-2016-2946.html • CWE-20: Improper Input Validation •