Search for packages
| purl | pkg:deb/debian/mono@6.8.0.105%2Bdfsg-3.3~deb11u1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1qhk-r5sq-zqhm | Path traversal in SharpZipLib SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. A check was added if the destination file is under a destination directory. However, it is not enforced that `_baseDirectory` ends with slash. If the `_baseDirectory` is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. fixed this vulnerability. |
CVE-2021-32842
GHSA-mm6g-mmq6-53ff |
| VCID-2jhf-j64s-gygy | Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.Update: The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz. |
CVE-2009-0689
|
| VCID-45yu-4es7-wqg6 | StaticFileHandler.cs in System.Web in Mono before 1.2.5.2, when running on Windows, allows remote attackers to obtain source code of sensitive files via a request containing a trailing (1) space or (2) dot, which is not properly handled by XSP. |
CVE-2007-5473
|
| VCID-4g67-mxz3-27ak | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project. |
CVE-2010-1459
GHSA-g5c6-w479-93xm |
| VCID-75b6-ycq1-93ay | A hash collision vulnerability in Mono allows remote attackers to cause a Denial of Service condition. |
CVE-2012-3543
|
| VCID-91z4-znxj-2fds | Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code. |
CVE-2011-0990
|
| VCID-99h2-625x-nfct | Mono is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. |
CVE-2006-5072
|
| VCID-a483-t5eh-pkf5 | Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code. |
CVE-2011-0992
|
| VCID-azkx-bdnb-ebbg | The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter. |
CVE-2023-26314
|
| VCID-c1c3-ck5x-mkay | Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code. |
CVE-2010-4225
|
| VCID-eadx-224r-vyhs | Path traversal in SharpZipLib SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. A check was added if the destination file is under destination directory. However, it is not enforced that `destDir` ends with slash. If the `destDir` is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins with the destination directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. contains a patch for this vulnerability. |
CVE-2021-32841
GHSA-2x7h-96h5-rq84 |
| VCID-f6cm-frak-aydf | mono: XSS vulnerabilities in the ASP.net class libraries |
CVE-2008-3422
|
| VCID-fc3w-b9en-rbbm | security update |
CVE-2015-2318
|
| VCID-fxh1-kq9x-6bbz | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. A TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. |
CVE-2021-32840
GHSA-m22m-h4rf-pwq3 |
| VCID-gt2k-srht-4qfe | Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code. |
CVE-2011-0989
|
| VCID-kbuv-pvcj-bucr | Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code. |
CVE-2011-0991
|
| VCID-nssu-1x9p-mudc | security update |
CVE-2015-2319
|
| VCID-nz8p-usaz-8kgt | Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message. |
CVE-2012-3382
|
| VCID-s4yu-1s7d-bufz | Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code. |
CVE-2010-4159
|
| VCID-sgsg-b4yc-juh6 | mono: Sys.Web HTTP header injection attack |
CVE-2008-3906
|
| VCID-t9ck-91tr-nfaw | Multiple cross-site scripting (XSS) vulnerabilities in the Mono 1.0.5 implementation of ASP.NET (.Net) allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<". |
CVE-2005-0509
|
| VCID-w6qh-dtdh-1bep | security update |
CVE-2015-2320
|
| VCID-xhd4-zcc1-gyak | Mono does not properly sanitize pathnames allowing unauthorized information disclosure. |
CVE-2006-6104
|
| VCID-xzc1-cy42-2ub4 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. |
CVE-2018-1002208
GHSA-cqj4-m2pc-v9m5 |
| VCID-yqu4-jn6n-eug3 | Mono's BigInteger implementation contains a buffer overflow vulnerability that might lead to the execution of arbitrary code. |
CVE-2007-5197
|
| VCID-z7ht-bq8z-3qgd | XML signature HMAC truncation authentication bypass This package uses a parameter that defines an HMAC truncation length (`HMACOutputLength`) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. |
CVE-2009-0217
GHSA-8hfm-837h-hjg5 |