Debian Linux vulnerabilities

CVE-2023-47272 [MEDIUM] CWE-79 CVE-2023-47272: Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposi Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

CVE-2023-5482 [HIGH] CWE-345 CVE-2023-5482: Insufficient data validation in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attack Insufficient data validation in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

CVE-2023-5849 [HIGH] CWE-190 CVE-2023-5849: Integer overflow in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potent Integer overflow in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-5857 [HIGH] CVE-2023-5857: Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially execute arbitrary code via a malicious file. (Chromium security severity: Medium)

CVE-2023-5856 [HIGH] CWE-416 CVE-2023-5856: Use after free in Side Panel in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who Use after free in Side Panel in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-5855 [HIGH] CWE-416 CVE-2023-5855: Use after free in Reading Mode in Google Chrome prior to 119.0.6045.105 allowed a remote attacker wh Use after free in Reading Mode in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

CVE-2023-5852 [HIGH] CWE-416 CVE-2023-5852: Use after free in Printing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who co Use after free in Printing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

CVE-2023-5854 [HIGH] CWE-416 CVE-2023-5854: Use after free in Profiles in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who co Use after free in Profiles in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

CVE-2023-5858 [MEDIUM] CWE-346 CVE-2023-5858: Inappropriate implementation in WebApp Provider in Google Chrome prior to 119.0.6045.105 allowed a r Inappropriate implementation in WebApp Provider in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-5853 [MEDIUM] CWE-346 CVE-2023-5853: Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacke Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-5850 [MEDIUM] CVE-2023-5850: Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacke Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Medium)

CVE-2023-5859 [MEDIUM] CWE-346 CVE-2023-5859: Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remot Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted local HTML page. (Chromium security severity: Low)

CVE-2023-5851 [MEDIUM] CWE-346 CVE-2023-5851: Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-5480 [MEDIUM] CWE-79 CVE-2023-5480: Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105 allowed a remote a Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to bypass XSS preventions via a malicious file. (Chromium security severity: High)

CVE-2023-46604 [CRITICAL] CWE-502 CVE-2023-46604: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability ma The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to

CVE-2023-34058 [HIGH] CWE-347 CVE-2023-34058: VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been g VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been a

CVE-2023-34059 [HIGH] CWE-404 CVE-2023-34059: open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A mal open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs.

CVE-2023-46234 [HIGH] CWE-347 CVE-2023-46234: browserify-sign is a package to duplicate the functionality of node's crypto public key functions, m browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack

CVE-2023-5730 [CRITICAL] CWE-787 CVE-2023-5730: Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these b Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

CVE-2023-5472 [HIGH] CWE-416 CVE-2023-5472: Use after free in Profiles in Google Chrome prior to 118.0.5993.117 allowed a remote attacker to pot Use after free in Profiles in Google Chrome prior to 118.0.5993.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)