Search
Total
4224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-2077 | 1 Xen | 1 Xen | 2014-12-12 | 5.2 MEDIUM | N/A |
| Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors. | |||||
| CVE-2014-8453 | 3 Adobe, Apple, Microsoft | 4 Acrobat, Acrobat Reader, Mac Os X and 1 more | 2014-12-12 | 5.0 MEDIUM | N/A |
| Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors. | |||||
| CVE-2014-9091 | 1 Icecast | 1 Icecast | 2014-12-11 | 4.6 MEDIUM | N/A |
| Icecast before 2.4.0 does not change the supplementary group privileges when <changeowner> is configured, which allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2014-3703 | 1 Redhat | 1 Packstack | 2014-12-05 | 5.0 MEDIUM | N/A |
| OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS) monolithic plug-in is not used, does not properly set the libvirt_vif_driver configuration option when generating the nova.conf configuration, which causes the firewall to be disabled and allows remote attackers to bypass intended access restrictions. | |||||
| CVE-2014-5284 | 1 Ossec | 1 Ossec | 2014-12-02 | 7.2 HIGH | N/A |
| host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed. | |||||
| CVE-2014-5268 | 1 Fasttoggle Project | 1 Fasttoggle | 2014-12-01 | 5.8 MEDIUM | N/A |
| The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link. | |||||
| CVE-2014-8558 | 1 Jexperts | 1 Channel Platform | 2014-11-26 | 6.5 MEDIUM | N/A |
| JExperts Channel Platform 5.0.33_CCB allows remote authenticated users to bypass access restrictions via crafted action and key parameters. | |||||
| CVE-2014-1424 | 2 Canonical, Ubuntu | 2 Ubuntu, Apparmor | 2014-11-24 | 6.4 MEDIUM | N/A |
| apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw." | |||||
| CVE-2014-7194 | 1 Tibco | 4 Managed File Transfer Command Center, Managed File Transfer Internet Server, Slingshot and 1 more | 2014-11-21 | 6.4 MEDIUM | N/A |
| TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access. | |||||
| CVE-2014-9026 | 1 Ubercart | 1 Ubercart | 2014-11-21 | 4.0 MEDIUM | N/A |
| The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors. | |||||
| CVE-2014-9022 | 1 Web Component Roles Project | 1 Web Component Roles | 2014-11-20 | 6.4 MEDIUM | N/A |
| The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted form. | |||||
| CVE-2014-9024 | 1 Protected Pages Project | 1 Protected Pages | 2014-11-20 | 7.5 HIGH | N/A |
| The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows remote attackers to bypass the password protection via a crafted path. | |||||
| CVE-2014-9000 | 1 Mulesoft | 1 Mule Enterprise Management Console | 2014-11-20 | 6.5 MEDIUM | N/A |
| Mule Enterprise Management Console (MMC) does not properly restrict access to handler/securityService.rpc, which allows remote authenticated users to gain administrator privileges and execute arbitrary code via a crafted request that adds a new user. NOTE: this issue was originally reported for ESB Runtime 3.5.1, but it originates in MMC. | |||||
| CVE-2013-7345 | 1 Christos Zoulas | 1 File | 2014-11-19 | 5.0 MEDIUM | N/A |
| The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. | |||||
| CVE-2014-3209 | 1 Nlnetlabs | 1 Ldns | 2014-11-17 | 2.1 LOW | N/A |
| The ldns-keygen tool in ldns 1.6.x uses the current umask to set the privileges of the private key, which might allow local users to obtain the private key by reading the file. | |||||
| CVE-2014-5424 | 1 Rockwellautomation | 1 Connected Components Workbench | 2014-11-14 | 7.5 HIGH | N/A |
| Rockwell Automation Connected Components Workbench (CCW) before 7.00.00 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an invalid property value to an ActiveX control that was built with an outdated compiler. | |||||
| CVE-2012-5243 | 1 Bananadance | 1 Banana Dance | 2014-10-24 | 5.0 MEDIUM | N/A |
| functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request. | |||||
| CVE-2014-7298 | 1 Centrify | 2 Centrify Suite, Directcontrol | 2014-10-24 | 4.9 MEDIUM | N/A |
| adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality. | |||||
| CVE-2009-1173 | 1 Ibm | 1 Websphere Application Server | 2014-10-24 | 2.1 LOW | N/A |
| IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used. | |||||
| CVE-2014-3381 | 1 Cisco | 1 Asyncos | 2014-10-22 | 5.0 MEDIUM | N/A |
| The ZIP inspection engine in Cisco AsyncOS 8.5 and earlier on the Cisco Email Security Appliance (ESA) does not properly analyze ZIP archives, which allows remote attackers to bypass malware filtering via a crafted archive, aka Bug ID CSCup07934. | |||||
| CVE-2014-4867 | 1 Cryoserver | 1 Cryoserver Security Appliance | 2014-10-15 | 6.8 MEDIUM | N/A |
| Cryoserver Security Appliance 7.3.x uses weak permissions for /etc/init.d/cryoserver, which allows local users to gain privileges by leveraging access to the support account and running the /bin/cryo-mgmt program. | |||||
| CVE-2014-6288 | 1 Alex Kellner | 1 Powermail | 2014-10-10 | 7.5 HIGH | N/A |
| The powermail extension 2.x before 2.0.11 for TYPO3 allows remote attackers to bypass the CAPTCHA protection mechanism via unspecified vectors. | |||||
| CVE-2014-5267 | 1 Drupal | 1 Drupal | 2014-10-10 | 6.8 MEDIUM | N/A |
| modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. | |||||
| CVE-2014-7984 | 1 Joomla | 1 Joomla\! | 2014-10-10 | 7.5 HIGH | N/A |
| Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication. | |||||
| CVE-2014-4869 | 1 Brocade | 2 Vyatta 5400 Vrouter, Vyatta 5400 Vrouter Software | 2014-10-07 | 5.0 MEDIUM | N/A |
| The Brocade Vyatta 5400 vRouter 6.4R(x), 6.6R(x), and 6.7R1 allows attackers to obtain sensitive encrypted-password information by leveraging membership in the operator group. | |||||
| CVE-2014-3642 | 1 Redhat | 6 Cloudforms 3.0.1 Management Engine, Cloudforms 3.0.2 Management Engine, Cloudforms 3.0.3 Management Engine and 3 more | 2014-10-07 | 6.5 MEDIUM | N/A |
| vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method." | |||||
| CVE-2014-3521 | 1 Redhat | 1 Conga | 2014-10-07 | 5.5 MEDIUM | N/A |
| The component in (1) /luci/homebase and (2) /luci/cluster menu in Red Hat Conga 0.12.2 allows remote authenticated users to bypass intended access restrictions via a crafted URL. | |||||
| CVE-2014-0140 | 1 Redhat | 6 Cloudforms 3.0.1 Management Engine, Cloudforms 3.0.2 Management Engine, Cloudforms 3.0.3 Management Engine and 3 more | 2014-10-07 | 4.0 MEDIUM | N/A |
| Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request. | |||||
| CVE-2014-3396 | 1 Cisco | 8 Asr 9000 Rsp440 Router, Asr 9001, Asr 9006 and 5 more | 2014-10-06 | 7.5 HIGH | N/A |
| Cisco IOS XR on ASR 9000 devices does not properly use compression for port-range and address-range encoding, which allows remote attackers to bypass intended Typhoon line-card ACL restrictions via transit traffic, aka Bug ID CSCup30133. | |||||
| CVE-2014-6289 | 2 Daniel Lienert, Michael Knoll | 2 Yet Another Gallery, Tools For Extbase Developmen | 2014-10-06 | 7.5 HIGH | N/A |
| The Ajax dispatcher for Extbase in the Yet Another Gallery (yag) extension before 3.0.1 and Tools for Extbase development (pt_extbase) extension before 1.5.1 allows remote attackers to bypass access restrictions and execute arbitrary controller actions via unspecified vectors. | |||||
| CVE-2012-5489 | 2 Plone, Zope | 2 Plone, Zope | 2014-10-02 | 6.5 MEDIUM | N/A |
| The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. | |||||
| CVE-2012-5501 | 1 Plone | 1 Plone | 2014-10-01 | 5.0 MEDIUM | N/A |
| at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL. | |||||
| CVE-2012-5487 | 1 Plone | 1 Plone | 2014-10-01 | 8.5 HIGH | N/A |
| The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing. | |||||
| CVE-2013-3632 | 1 Openmediavault | 1 Openmediavault | 2014-09-30 | 9.0 HIGH | N/A |
| The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter. | |||||
| CVE-2014-3811 | 1 Juniper | 2 Juniper Installer Service Client, Junos Pulse Client | 2014-09-30 | 7.2 HIGH | N/A |
| Juniper Installer Service (JIS) Client 7.x before 7.4R6 for Windows and Junos Pulse Client before 4.0R6 allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2013-3066 | 1 Linksys | 2 Ea6500, Ea6500 Firmware | 2014-09-30 | 7.1 HIGH | N/A |
| Linksys EA6500 with firmware 1.1.28.147876 does not properly restrict access, which allows remote attackers to obtain sensitive information (clients and router configuration) via a request to /JNAP/. | |||||
| CVE-2014-0484 | 1 Canonical | 1 Acpi-support | 2014-09-24 | 7.2 HIGH | N/A |
| The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment." | |||||
| CVE-2014-2375 | 1 Ecava | 1 Integraxor | 2014-09-16 | 9.0 HIGH | N/A |
| Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature. | |||||
| CVE-2014-5269 | 1 Plack Project | 1 Plack | 2014-09-08 | 5.0 MEDIUM | N/A |
| Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to bypass the whitelist of generated files and obtain sensitive information via a crafted path, related to Plack::Middleware::Static. | |||||
| CVE-2013-6398 | 1 Apache | 1 Cloudstack | 2014-09-04 | 2.8 LOW | N/A |
| The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request. | |||||
| CVE-2013-2595 | 1 Codeaurora | 1 Android-msm | 2014-09-02 | 7.2 HIGH | N/A |
| The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which allows attackers to gain privileges via a crafted application. | |||||
| CVE-2014-5457 | 1 Qnap | 8 Ss-839, Ss-839 Firmware, Ts-459u and 5 more | 2014-08-26 | 2.1 LOW | N/A |
| QNAP TS-469U with firmware 4.0.7 Build 20140410, TS-459U, TS-EC1679U-RP, and SS-839 use world-readable permissions for /etc/config/shadow, which allows local users to obtain usernames and hashed passwords by reading the password. | |||||
| CVE-2014-5453 | 1 Ubi | 1 Uplay Pc | 2014-08-26 | 7.2 HIGH | N/A |
| Ubisoft Uplay PC before 4.6.1.3217 use weak permissions (Everyone: Full Control) for the program installation directory (%PROGRAMFILES%\Ubisoft Game Launcher), which allows local users to gain privileges via a Trojan horse file. | |||||
| CVE-2014-3800 | 1 Xbmc | 1 Xbmc | 2014-08-07 | 2.1 LOW | N/A |
| XBMC 13.0 uses world-readable permissions for .xbmc/userdata/sources.xml, which allows local users to obtain user names and passwords by reading this file. | |||||
| CVE-2014-3772 | 1 Teampass | 1 Teampass | 2014-08-07 | 7.5 HIGH | N/A |
| TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php. | |||||
| CVE-2014-3771 | 1 Teampass | 1 Teampass | 2014-08-07 | 7.5 HIGH | N/A |
| TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php. | |||||
| CVE-2014-0539 | 4 Adobe, Apple, Linux and 1 more | 6 Adobe Air, Adobe Air Sdk, Flash Player and 3 more | 2014-08-05 | 7.5 HIGH | N/A |
| Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0537. | |||||
| CVE-2014-0537 | 4 Adobe, Apple, Linux and 1 more | 6 Adobe Air, Adobe Air Sdk, Flash Player and 3 more | 2014-08-05 | 7.5 HIGH | N/A |
| Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0539. | |||||
| CVE-2014-1993 | 1 Cybozu | 1 Garoon | 2014-08-04 | 4.0 MEDIUM | N/A |
| The Portlets subsystem in Cybozu Garoon 2.x and 3.x before 3.7 SP4 allows remote authenticated users to bypass intended access restrictions via unspecified vectors. | |||||
| CVE-2014-1996 | 1 Cybozu | 1 Garoon | 2014-08-04 | 7.5 HIGH | N/A |
| Cybozu Garoon 3.7 before SP4 allows remote authenticated users to bypass intended access restrictions, and execute arbitrary code or cause a denial of service, via an API call. | |||||