The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2016-10937 | IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate. | MEDIUM | Sep 9, 2019 |
CVE-2011-3372 | imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command. | High | Dec 26, 2011 |
CVE-2016-5757 | iManager Admin Console in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 was vulnerable to iFrame manipulation attacks, which could allow remote users to gain access to authentication credentials. | HIGH | Mar 24, 2017 |
CVE-2021-42369 | Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. A low-privileged user could inject a SQL statement through the Export to CSV feature of the Contact Manager web GUI. | MEDIUM | Oct 14, 2021 |
CVE-2022-24720 | image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations. | HIGH | Mar 2, 2022 |
CVE-2017-9203 | imagew-main.c:960:12 in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (buffer underflow) via a crafted image, related to imagew-bmp.c. | MEDIUM | May 23, 2017 |
CVE-2017-9202 | imagew-cmd.c:854:45 in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted image, related to imagew-api.c. | MEDIUM | May 23, 2017 |
CVE-2017-9201 | imagew-cmd.c:850:46 in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted image, related to imagew-api.c. | MEDIUM | May 23, 2017 |
CVE-2024-27929 | ImageSharp is a managed, cross-platform, 2D graphics library. A heap-use-after-free flaw was found in ImageSharp\'s InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure. This issue has been patched in versions 3.1.3 and 2.1.7. | -- | Mar 5, 2024 |
CVE-2024-32035 | ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in image decoders. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. This flaw can be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on ImageSharp for image processing tasks. Users and administrators are advised to update to the latest version of ImageSharp that addresses this vulnerability to mitigate the risk of exploitation. The problem has been patched in v3.1.4 and v2.1.8. | -- | Apr 16, 2024 |
CVE-2024-32036 | ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp\'s JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8. | -- | Apr 16, 2024 |
CVE-2009-0678 | images/captcha.php in RavenNuke 2.30 allows remote attackers to obtain sensitive information via an aFonts array parameter value that does not correspond to a valid font file, which reveals the installation path in an error message. | Medium | Feb 23, 2009 |
CVE-2009-0674 | images/captcha.php in Raven Web Services RavenNuke 2.30, when register_globals and display_errors are enabled, allows remote attackers to determine the existence of local files by sending requests with full pathnames in the aFonts array parameter, and then observing the error messages, which differ between existing and nonexistent pathnames. | Medium | Feb 23, 2009 |
CVE-2019-9817 | Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | MEDIUM | Jul 26, 2019 |
CVE-2016-10596 | imageoptim is a Node.js wrapper for some images compression algorithms. imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server. | MEDIUM | Jun 1, 2018 |
CVE-2018-10804 | ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c. | MEDIUM | May 8, 2018 |
CVE-2018-10805 | ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. | MEDIUM | May 8, 2018 |
CVE-2017-15033 | ImageMagick version 7.0.7-2 contains a memory leak in ReadYUVImage in coders/yuv.c. | MEDIUM | Oct 5, 2017 |
CVE-2017-15032 | ImageMagick version 7.0.7-2 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. | HIGH | Oct 5, 2017 |
CVE-2021-39212 | ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain=module rights=none pattern=PS />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain=coder rights=none pattern={PS,EPI,EPS,EPSF,EPSI} />. | LOW | Sep 14, 2021 |
CVE-2019-18853 | ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2. | MEDIUM | Nov 13, 2019 |
CVE-2019-17541 | ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c. | MEDIUM | Oct 18, 2019 |
CVE-2019-17540 | ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c. | MEDIUM | Oct 23, 2019 |
CVE-2019-13136 | ImageMagick before 7.0.8-50 has an integer overflow vulnerability in the function TIFFSeekCustomStream in coders/tiff.c. | Medium | Jul 2, 2019 |
CVE-2019-13135 | ImageMagick before 7.0.8-50 has a use of uninitialized value vulnerability in the function ReadCUTImage in coders/cut.c. | Medium | Jul 2, 2019 |
CVE-2019-13134 | ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c. | Medium | Jul 2, 2019 |
CVE-2019-13137 | ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadPSImage in coders/ps.c. | Medium | Jul 2, 2019 |
CVE-2019-13133 | ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c. | Medium | Jul 2, 2019 |
CVE-2017-17504 | ImageMagick before 7.0.7-12 has a coders/png.c Magick_png_read_raw_profile heap-based buffer over-read via a crafted file, related to ReadOneMNGImage. | MEDIUM | Dec 10, 2017 |
CVE-2017-9098 | ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c. | MEDIUM | May 23, 2017 |
CVE-2017-17499 | ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp. | HIGH | Dec 10, 2017 |
CVE-2023-39978 | ImageMagick before 6.9.12-91 allows attackers to cause a denial of service (memory consumption) in Magick::Draw. | -- | Aug 8, 2023 |
CVE-2020-29599 | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. | HIGH | Dec 8, 2020 |
CVE-2014-9826 | ImageMagick allows remote attackers to have unspecified impact via vectors related to error handling in sun files. | High | Apr 4, 2017 |
CVE-2014-9809 | ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted xwd image. | Medium | Apr 4, 2017 |
CVE-2014-9805 | ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted pnm file. | Medium | Apr 4, 2017 |
CVE-2014-9808 | ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted dpc image. | Medium | Apr 4, 2017 |
CVE-2014-9818 | ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a malformed sun file. | Medium | Apr 4, 2017 |
CVE-2014-9816 | ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted viff file. | Medium | Apr 4, 2017 |
CVE-2014-9814 | ImageMagick allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted wpg file. | Medium | Apr 4, 2017 |
CVE-2014-9812 | ImageMagick allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted ps file. | Medium | Apr 4, 2017 |
CVE-2014-9806 | ImageMagick allows remote attackers to cause a denial of service (file descriptor consumption) via a crafted file. | Medium | Apr 4, 2017 |
CVE-2014-9815 | ImageMagick allows remote attackers to cause a denial of service (application crash) via a crafted wpg file. | Medium | Apr 4, 2017 |
CVE-2014-9813 | ImageMagick allows remote attackers to cause a denial of service (application crash) via a crafted viff file. | Medium | Apr 4, 2017 |
CVE-2022-44268 | ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it). | -- | Feb 6, 2023 |
CVE-2022-44267 | ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input. | -- | Feb 6, 2023 |
CVE-2022-28463 | ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow. | MEDIUM | May 8, 2022 |
CVE-2020-13902 | ImageMagick 7.0.9-27 through 7.0.10-17 has a heap-based buffer over-read in BlobToStringInfo in MagickCore/string.c during TIFF image decoding. | MEDIUM | Jun 7, 2020 |
CVE-2018-16641 | ImageMagick 7.0.8-6 has a memory leak vulnerability in the TIFFWritePhotoshopLayers function in coders/tiff.c. | MEDIUM | Sep 6, 2018 |
CVE-2019-13454 | ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c. | Medium | Jul 10, 2019 |