VulnerableCode Package Details - pkg:deb/debian/mono@3.2.8%2Bdfsg-10

Search for packages

Vulnerability	Summary	Fixed by
VCID-kpej-mch5-jyfr Aliases: CVE-2023-26314	The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter.	6.8.0.105+dfsg-3.3~deb11u1 Affected by 0 other vulnerabilities.
VCID-uwpq-kb7b-b7he Aliases: CVE-2009-0689	Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.Update: The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz.	4.6.2.7+dfsg-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xehh-a5vv-kffu Aliases: CVE-2018-1002208 GHSA-cqj4-m2pc-v9m5	Improper Limitation of a Pathname to a Restricted Directory in SharpZipLib SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.	5.18.0.240+dfsg-3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-kpej-mch5-jyfr
Aliases:
CVE-2023-26314

The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter.

6.8.0.105+dfsg-3.3~deb11u1
Affected by 0 other vulnerabilities.

VCID-uwpq-kb7b-b7he
Aliases:
CVE-2009-0689

Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.Update: The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz.

4.6.2.7+dfsg-1
Affected by 2 other vulnerabilities.

VCID-xehh-a5vv-kffu
Aliases:
CVE-2018-1002208
GHSA-cqj4-m2pc-v9m5

Improper Limitation of a Pathname to a Restricted Directory in SharpZipLib SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

5.18.0.240+dfsg-3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-9rzm-f418-ubhp	The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.	CVE-2015-2319
VCID-duh3-c86a-m3hw	The TLS stack in Mono before 3.12.1 allows remote attackers to have unspecified impact via vectors related to client-side SSLv2 fallback.	CVE-2015-2320
VCID-kc3z-c9sh-pya4	The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a "SMACK SKIP-TLS" issue.	CVE-2015-2318

Vulnerability

Summary

Aliases

VCID-9rzm-f418-ubhp

The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204.

CVE-2015-2319

VCID-duh3-c86a-m3hw

The TLS stack in Mono before 3.12.1 allows remote attackers to have unspecified impact via vectors related to client-side SSLv2 fallback.

CVE-2015-2320

VCID-kc3z-c9sh-pya4

The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a "SMACK SKIP-TLS" issue.

CVE-2015-2318

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T19:02:58.505285+00:00	Debian Oval Importer	Affected by	VCID-kpej-mch5-jyfr	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:03:56.850443+00:00	Debian Oval Importer	Fixing	VCID-duh3-c86a-m3hw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:53:16.126318+00:00	Debian Oval Importer	Fixing	VCID-kc3z-c9sh-pya4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:11:18.957810+00:00	Debian Oval Importer	Fixing	VCID-9rzm-f418-ubhp	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:59:15.556062+00:00	Debian Oval Importer	Affected by	VCID-xehh-a5vv-kffu	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:11:52.976887+00:00	Debian Oval Importer	Affected by	VCID-uwpq-kb7b-b7he	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0