The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Fedora

vulnerability alert CVE-2016-7103

jquery-ui: Cross Site Scripting via closeText

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via closeText of jquery-ui, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 22/11/2017.
Identifiers: CVE-2016-7103, FEDORA-2017-1bf5a0ce01, FEDORA-2017-e2d17af41e, VIGILANCE-VUL-24511.

Description of the vulnerability

The jquery-ui product offers a web service.

However, it does not filter received data via closeText before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via closeText of jquery-ui, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability 24455

PHPMailer: Cross Site Scripting via Debug Output

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Debug Output of PHPMailer, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 16/11/2017.
Identifiers: FEDORA-2017-4b3873b325, FEDORA-2017-803a99828d, FEDORA-2017-fa89dbf50d, VIGILANCE-VUL-24455.

Description of the vulnerability

The PHPMailer product offers a web service.

However, it does not filter received data via Debug Output before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Debug Output of PHPMailer, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-16785

Cacti: Cross Site Scripting via host.php PATH_INFO

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via host.php PATH_INFO of Cacti, in order to run JavaScript code in the context of the web site.
Impacted products: Cacti, Fedora, openSUSE Leap.
Severity: 2/4.
Creation date: 13/11/2017.
Identifiers: 1071, CVE-2017-16785, FEDORA-2017-9762a831b2, FEDORA-2017-cf75844225, FEDORA-2017-d008ecf87a, openSUSE-SU-2017:3051-1, VIGILANCE-VUL-24415.

Description of the vulnerability

The Cacti product offers a web service.

However, it does not filter received data via host.php PATH_INFO before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via host.php PATH_INFO of Cacti, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2017-12193

Linux kernel: NULL pointer dereference via assoc_array_apply_edit

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via assoc_array_apply_edit() of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 02/11/2017.
Identifiers: CERTFR-2017-AVI-448, CERTFR-2017-AVI-454, CERTFR-2017-AVI-458, CVE-2017-12193, FEDORA-2017-38b37120a2, FEDORA-2017-9fbb35aeda, openSUSE-SU-2017:3358-1, openSUSE-SU-2017:3359-1, SUSE-SU-2017:3210-1, SUSE-SU-2017:3249-1, SUSE-SU-2017:3398-1, SUSE-SU-2017:3410-1, USN-3507-1, USN-3507-2, USN-3509-1, USN-3509-2, USN-3509-3, USN-3509-4, VIGILANCE-VUL-24308.

Description of the vulnerability

The Noyau Linux product offers a web service.

However, it does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced via assoc_array_apply_edit() of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2017-15194

Cacti: Cross Site Scripting via Path-Based

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Path-Based of Cacti, in order to run JavaScript code in the context of the web site.
Impacted products: Cacti, Fedora, openSUSE Leap.
Severity: 2/4.
Creation date: 11/10/2017.
Identifiers: 1010, CVE-2017-15194, FEDORA-2017-8761075ffd, FEDORA-2017-ac20492c3e, openSUSE-SU-2017:2765-1, VIGILANCE-VUL-24100.

Description of the vulnerability

The Cacti product offers a web service.

However, it does not filter received data via Path-Based before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Path-Based of Cacti, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2017-10840

WebCalendar: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WebCalendar, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 10/10/2017.
Identifiers: CVE-2017-10840, FEDORA-2017-26a53ccbdf, FEDORA-2017-c9abeb3158, VIGILANCE-VUL-24061.

Description of the vulnerability

The WebCalendar product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WebCalendar, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability 23990

Horde Passwd: open redirect

Synthesis of the vulnerability

An attacker can deceive the user of Horde Passwd, in order to redirect him to a malicious site.
Impacted products: Fedora.
Severity: 1/4.
Creation date: 02/10/2017.
Identifiers: FEDORA-2017-51b91fc4a9, FEDORA-2017-9d14020761, VIGILANCE-VUL-23990.

Description of the vulnerability

The Horde Passwd product offers a web service.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of Horde Passwd, in order to redirect him to a malicious site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2017-1000158

Python: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Python.
Impacted products: Debian, Fedora, Python, Ubuntu.
Severity: 2/4.
Creation date: 19/09/2017.
Identifiers: bpo-30500, bpo-30730, CVE-2017-1000158, DLA-1189-1, DLA-1190-1, FEDORA-2017-2d441a1d98, FEDORA-2017-2e5a17c4cc, FEDORA-2017-677069c484, FEDORA-2017-6be762ea64, FEDORA-2017-7fe2c4bc0e, FEDORA-2017-99d12bf610, FEDORA-2017-a41f6a8078, FEDORA-2017-cf8c62747a, FEDORA-2017-e0abe14016, issue30657, USN-3496-1, USN-3496-2, USN-3496-3, VIGILANCE-VUL-23866.

Description of the vulnerability

Several vulnerabilities were announced in Python.

An attacker can use a vulnerability via Windows Environment Variables Injection, in order to run code. [severity:2/4; bpo-30730]

An attacker can bypass security features via urllib.splithost(), in order to escalate his privileges. [severity:2/4; bpo-30500]

An attacker can generate an integer overflow via PyString_DecodeEscape(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2017-1000158, issue30657]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2017-2923 CVE-2017-2924

FreeXL: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of FreeXL.
Impacted products: Debian, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 18/09/2017.
Identifiers: CVE-2017-2923, CVE-2017-2924, DLA-1098-1, DSA-3976-1, FEDORA-2017-6679a0a2e1, FEDORA-2017-b7e6e4cfc1, openSUSE-SU-2017:2537-1, openSUSE-SU-2017:2539-1, VIGILANCE-VUL-23848.

Description of the vulnerability

Several vulnerabilities were announced in FreeXL.

An attacker can generate a buffer overflow via read_biff_next_record(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2017-2923]

An attacker can generate a buffer overflow via read_legacy_biff(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2017-2924]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2017-12794

Django: Cross Site Scripting via Traceback

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Traceback of Django, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 15/09/2017.
Identifiers: CVE-2017-12794, FEDORA-2017-8614a6e905, VIGILANCE-VUL-23842.

Description of the vulnerability

The Django product offers a web service.

However, it does not filter received data via Traceback before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Traceback of Django, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Fedora: