Security
Headlines
HeadlinesLatestCVEs

Tag

#debian

CVE-2022-26149: 0days/Exploit.txt at main · sartlabs/0days

MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.

CVE
Open in Source
#web#debian
CVE-2022-25328: Metadata validation and other security improvements by ebiggers · Pull Request #346 · google/fscrypt

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above

CVE-2016-1239: handle loading untrusted code from current directory (b43b5bbf) · Commits · Debian / The Debian Url ChecKer

duck before 0.10 did not properly handle loading of untrusted code from the current directory..

CVE-2021-45082: Releases · cobbler/cobbler

An issue was discovered in Cobbler through 3.3.0. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

CVE-2021-40841: Changelog

A Path Traversal vulnerability for a log file in LiveConfig 2.12.2 allows authenticated attackers to read files on the underlying server.

CVE-2022-0543: #1005787 - redis: CVE-2022-0543 - Debian Bug report logs

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CVE-2022-0543: #1005787 - redis: CVE-2022-0543 - Debian Bug report logs

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CVE-2021-3578: Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug | The GitHub Blog

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.

CVE-2021-3578: Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug | The GitHub Blog

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.

CVE-2021-20001: etc/apache2/mods-available/debian-edu-userdir.conf: Disable built-in PHP engine. (4d39a588) · Commits · Debian Edu / debian-edu-config

It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.