CVE-2015-2296
https://notcve.org/view.php?id=CVE-2015-2296
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. La función resolve_redirects en sessions.py en requests 2.1.0 hasta 2.5.3 permite a atacantes remotos realizar ataques de fijación de sesión a través de una cookie sin valor de anfitrión en una redirección. • http://advisories.mageia.org/MGASA-2015-0120.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:133 http://www.openwall.com/lists/oss-security/2015/03/14/4 http://www.openwall.com/lists/oss-security/2015/03/15/1 http://www.ubuntu.com/usn/USN-2531-1 https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc https://warehouse.python.org/project/requests/2.6.0 •
CVE-2014-8116 – file: multiple denial of service issues (resource consumption)
https://notcve.org/view.php?id=CVE-2014-8116
The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. El intérprete ELF (readelf.c) en versiones anteriores a 5.21, permite a atacantes remotos, provocar una denegaci?o de servicio (consumo de CPU o rotura) mediante un número largo de (1) programa o (2) cabeceras de sección o (3) capacidades no válidas. Multiple flaws were found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to consume an excessive amount of system resources. • http://advisories.mageia.org/MGASA-2015-0040.html http://rhn.redhat.com/errata/RHSA-2016-0760.html http://seclists.org/oss-sec/2014/q4/1056 http://secunia.com/advisories/61944 http://secunia.com/advisories/62081 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/71700 http://www.securitytracker.com/id/1031344 http://www.ubuntu.com/usn/ • CWE-399: Resource Management Errors CWE-674: Uncontrolled Recursion •
CVE-2014-8117 – file: denial of service issue (resource consumption)
https://notcve.org/view.php?id=CVE-2014-8117
softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. softmagic.c en archivo anterior a 5.21 no limita adecuadamente el límite de recursividad, esto permite a atacantes remotos, provocar una denegación de servicio (consumo de CPU o rotura) mediante vectores no especificados. A flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of system resources. • http://advisories.mageia.org/MGASA-2015-0040.html http://rhn.redhat.com/errata/RHSA-2016-0760.html http://seclists.org/oss-sec/2014/q4/1056 http://secunia.com/advisories/61944 http://secunia.com/advisories/62081 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/71692 http://www.securitytracker.com/id/1031344 http://www.ubuntu.com/usn/ • CWE-399: Resource Management Errors CWE-674: Uncontrolled Recursion •
CVE-2014-9274
https://notcve.org/view.php?id=CVE-2014-9274
UnRTF allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code as demonstrated by a file containing the string "{\cb-999999999". UnRTF permite a atacantes remotos causar una denegación de servicio (caída) y posiblemente ejecutar código arbitrario tal y como fue demostrado por un fichero que contenía la cadena '{\cb-999999999'. • http://advisories.mageia.org/MGASA-2014-0533.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147399.html http://secunia.com/advisories/62811 http://www.debian.org/security/2015/dsa-3158 http://www.mandriva.com/security/advisories?name=MDVSA-2015:007 http://www.openwall.com/lists/oss-security/2014/12/04/15 http://www.securityfocus.com/bid/71430 https://bugzilla.redhat.com/show_bug.cgi?id=1170233 https://lists.gnu.org/archive/html/bug-unrtf/2014-1 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2014-9039 – WordPress Core < 4.0.1 Cross-Site Request Forgery to Password Reset
https://notcve.org/view.php?id=CVE-2014-9039
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. wp-login.php en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 podría permitir a atacantes remotos reconfigurar las contraseñas mediante el aprovechamiento del acceso a una cuenta de email que recibió un mensaje de reconfiguración de la contraseña. • http://advisories.mageia.org/MGASA-2014-0493.html http://core.trac.wordpress.org/changeset/30431 http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-254: 7PK - Security Features CWE-352: Cross-Site Request Forgery (CSRF) •