Search
Total
4224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-1314 | 1 Apple | 1 Mac Os X | 2014-04-24 | 10.0 HIGH | N/A |
| WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed application, which allows attackers to bypass the sandbox protection mechanism and execute arbitrary code via a crafted application. | |||||
| CVE-2012-5037 | 1 Cisco | 3 Catalyst 6500, Catalyst 7600, Ios | 2014-04-23 | 4.6 MEDIUM | N/A |
| The ACL implementation in Cisco IOS before 15.1(1)SY on Catalyst 6500 and 7600 devices allows local users to cause a denial of service (device reload) via a "no object-group" command followed by an object-group command, aka Bug ID CSCts16133. | |||||
| CVE-2013-5030 | 1 Ruckuswireless | 2 Zoneflex 2942, Zoneflex 2942 Firmware | 2014-04-23 | 7.2 HIGH | N/A |
| Ruckus Wireless Zoneflex 2942 devices with firmware 9.6.0.0.267 allow remote attackers to bypass authentication, and subsequently access certain configuration/ and maintenance/ scripts, by constructing a crafted URI after receiving an authentication error for an arbitrary login attempt. | |||||
| CVE-2014-2745 | 1 Prosody | 1 Prosody | 2014-04-19 | 7.8 HIGH | N/A |
| Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua. | |||||
| CVE-2014-1986 | 1 Kokuyo | 1 Camiapp | 2014-04-19 | 5.8 MEDIUM | N/A |
| The Content Provider in the KOKUYO CamiApp application 1.21.1 and earlier for Android allows attackers to bypass intended access restrictions and read database information via a crafted application. | |||||
| CVE-2013-1919 | 1 Xen | 1 Xen | 2014-04-19 | 4.7 MEDIUM | N/A |
| Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to "passed-through IRQs or PCI devices." | |||||
| CVE-2014-0071 | 1 Redhat | 1 Openstack | 2014-04-17 | 6.4 MEDIUM | N/A |
| PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections. | |||||
| CVE-2011-4406 | 1 Canonical | 2 Accountsservice, Ubuntu Linux | 2014-04-17 | 3.6 LOW | N/A |
| The Ubuntu AccountsService package before 0.6.14-1git1ubuntu1.1 does not properly drop privileges when changing language settings, which allows local users to modify arbitrary files via unspecified vectors. | |||||
| CVE-2013-1764 | 1 Packagekit Project | 1 Packagekit | 2014-04-17 | 2.1 LOW | N/A |
| The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method. | |||||
| CVE-2011-4089 | 1 Bzip | 1 Bzip2 | 2014-04-17 | 4.6 MEDIUM | N/A |
| The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory. | |||||
| CVE-2012-0214 | 1 Advanced Package Tool | 1 Advanced Package Tool | 2014-04-16 | 4.3 MEDIUM | N/A |
| The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user from downloading the new InRelease file, which leaves the original InRelease file active and makes it more difficult to detect that the Packages file is modified and unsigned. | |||||
| CVE-2014-2865 | 1 Paperthin | 1 Commonspot Content Server | 2014-04-16 | 7.5 HIGH | N/A |
| PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a '\0' character, as demonstrated by using this character within a pathname on the drive containing the web root directory of a ColdFusion installation. | |||||
| CVE-2014-2862 | 1 Paperthin | 1 Commonspot Content Server | 2014-04-16 | 6.5 MEDIUM | N/A |
| PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check authorization in unspecified situations, which allows remote authenticated users to perform actions via unknown vectors. | |||||
| CVE-2014-0642 | 1 Emc | 1 Documentum Content Server | 2014-04-16 | 5.5 MEDIUM | N/A |
| EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors. | |||||
| CVE-2014-2859 | 1 Paperthin | 1 Commonspot Content Server | 2014-04-16 | 7.5 HIGH | N/A |
| PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a direct request. | |||||
| CVE-2014-2690 | 1 Citrix | 1 Vdi-in-a-box | 2014-04-16 | 2.1 LOW | N/A |
| Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows local users to obtain administrator credentials by reading the log. | |||||
| CVE-2014-2849 | 1 Sophos | 2 Web Appliance, Web Appliance Firmware | 2014-04-14 | 8.5 HIGH | N/A |
| The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request. | |||||
| CVE-2014-2742 | 1 Isode | 1 M-link | 2014-04-11 | 7.8 HIGH | N/A |
| Isode M-Link before 16.0v7 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. | |||||
| CVE-2014-2829 | 1 Erlang-solutions | 1 Mongooseim | 2014-04-11 | 7.8 HIGH | N/A |
| Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. | |||||
| CVE-2014-2746 | 1 Tigase | 1 Tigase | 2014-04-11 | 7.8 HIGH | N/A |
| net/IOService.java in Tigase before 5.2.1 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. | |||||
| CVE-2014-2743 | 1 Lightwitch | 1 Metronome | 2014-04-11 | 7.8 HIGH | N/A |
| plugins/mod_compression.lua in Lightwitch Metronome through 3.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. | |||||
| CVE-2013-7367 | 1 Sap | 1 Enterprise Portal | 2014-04-11 | 7.5 HIGH | N/A |
| SAP Enterprise Portal does not properly restrict access to the Federation configuration pages, which allows remote attackers to gain privileges via unspecified vectors. | |||||
| CVE-2013-7364 | 1 Sap | 1 Netweaver | 2014-04-11 | 7.5 HIGH | N/A |
| An unspecified J2EE core service in the J2EE Engine in SAP NetWeaver does not properly restrict access, which allows remote attackers to read and write to arbitrary files via unknown vectors. | |||||
| CVE-2014-2265 | 2 Rocklobster, Wordpress | 2 Contact Form 7, Wordpress | 2014-04-09 | 5.0 MEDIUM | N/A |
| Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter. | |||||
| CVE-2014-0592 | 2 Crowbar, Novell | 2 Barclamp, Suse Cloud | 2014-04-04 | 7.5 HIGH | N/A |
| Barclamp (aka barclamp-network) 1.7 for the Crowbar Framework, as used in SUSE Cloud 3, does not enable netfilter on bridges when creating new instances, which allows remote attackers to bypass security group restrictions via unspecified vectors, related to floating IPs. | |||||
| CVE-2013-6770 | 2 Google, Koushik Dutta | 2 Android, Superuser | 2014-04-03 | 7.6 HIGH | N/A |
| The CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android 4.3 and 4.4 does not properly restrict the set of users who can execute /system/xbin/su with the --daemon option, which allows attackers to gain privileges by leveraging ADB shell access and a certain Linux UID, and then creating a Trojan horse script. | |||||
| CVE-2012-0032 | 1 Redhat | 1 Jboss Operations Network | 2014-04-01 | 3.7 LOW | N/A |
| Red Hat JBoss Operations Network (JON) before 3.0.1 uses 0777 permissions for the root directory when installing a remote client, which allows local users to read or modify subdirectories and files within the root directory, as demonstrated by obtaining JON credentials. | |||||
| CVE-2011-4573 | 1 Redhat | 1 Jboss Operations Network | 2014-04-01 | 3.5 LOW | N/A |
| Red Hat JBoss Operations Network (JON) before 2.4.2 does not properly enforce "modify resource" permissions for remote authenticated users when deleting a plug-in configuration update from the group connection properties history, which prevents such activities from being recorded in the audit trail. | |||||
| CVE-2014-2534 | 1 Blackberry | 1 Qnx Neutrino Rtos | 2014-04-01 | 4.9 MEDIUM | N/A |
| /sbin/pppoectl in BlackBerry QNX Neutrino RTOS 6.4.x and 6.5.x allows local users to obtain sensitive information by reading "bad parameter" lines in error messages, as demonstrated by reading the root password hash in /etc/shadow. | |||||
| CVE-2013-6660 | 1 Google | 1 Chrome | 2014-04-01 | 5.0 MEDIUM | N/A |
| The drag-and-drop implementation in Google Chrome before 33.0.1750.117 does not properly restrict the information in WebDropData data structures, which allows remote attackers to discover full pathnames via a crafted web site. | |||||
| CVE-2013-6657 | 1 Google | 1 Chrome | 2014-04-01 | 6.4 MEDIUM | N/A |
| core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 33.0.1750.117, inserts the about:blank URL during certain blocking of FORM elements within HTTP requests, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via unspecified vectors. | |||||
| CVE-2009-5138 | 1 Gnu | 1 Gnutls | 2014-04-01 | 5.8 MEDIUM | N/A |
| GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959. | |||||
| CVE-2013-6775 | 2 Chainfire, Google | 2 Supersu, Android | 2014-03-31 | 10.0 HIGH | N/A |
| The Chainfire SuperSU package before 1.69 for Android allows attackers to gain privileges via the (1) backtick or (2) $() type of shell metacharacters in the -c option to /system/xbin/su. | |||||
| CVE-2013-7347 | 1 Redhat | 2 Conga, Enterprise Linux | 2014-03-31 | 3.7 LOW | N/A |
| Luci in Red Hat Conga does not properly enforce the user session timeout, which might allow attackers to gain access to the session by reading the __ac session cookie. NOTE: this issue has been SPLIT due to different vulnerability types. Use CVE-2012-3359 for the base64-encoded storage of the user and password in a cookie. | |||||
| CVE-2014-1516 | 2 Google, Mozilla | 2 Android, Firefox | 2014-03-31 | 5.0 MEDIUM | N/A |
| The saltProfileName function in base/GeckoProfileDirectories.java in Mozilla Firefox through 28.0.1 on Android relies on Android's weak approach to seeding the Math.random function, which makes it easier for attackers to bypass a profile-randomization protection mechanism via a crafted application. | |||||
| CVE-2011-3196 | 1 Gplhost | 1 Domain Technologie Control | 2014-03-27 | 2.1 LOW | N/A |
| The setup script in Domain Technologie Control (DTC) before 0.34.1 uses world-readable permissions for /etc/apache2/apache2.conf, which allows local users to obtain the dtcdaemons MySQL password by reading the file. | |||||
| CVE-2014-2573 | 1 Openstack | 1 Compute | 2014-03-26 | 2.3 LOW | N/A |
| The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image. | |||||
| CVE-2011-3207 | 1 Openssl | 1 Openssl | 2014-03-26 | 5.0 MEDIUM | N/A |
| crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past. | |||||
| CVE-2010-1633 | 1 Openssl | 1 Openssl | 2014-03-26 | 6.4 MEDIUM | N/A |
| RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2014-2049 | 1 Owncloud | 1 Owncloud | 2014-03-25 | 5.0 MEDIUM | N/A |
| The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors. | |||||
| CVE-2011-5275 | 1 Gplhost | 1 Domain Technologie Control | 2014-03-21 | 7.5 HIGH | N/A |
| The install script in Domain Technologie Control (DTC) before 0.34.1 gives sudo permissions for chrootuid to the dtc user, which makes it easier for context-dependent users to gain privileges. | |||||
| CVE-2012-0322 | 2 Estrongs, Google | 2 Es File Explorer, Android | 2014-03-20 | 4.3 MEDIUM | N/A |
| The EStrongs ES File Explorer application 1.6.0.2 through 1.6.1.1 for Android does not properly restrict access, which allows remote attackers to read arbitrary files via vectors involving an unspecified function. | |||||
| CVE-2014-1977 | 2 Google, Nttdocomo | 2 Android, Spmode Mail Android | 2014-03-20 | 4.3 MEDIUM | N/A |
| The NTT DOCOMO sp mode mail application 6300 and earlier for Android 4.0.x and 6700 and earlier for Android 4.1 through 4.4 uses weak permissions for attachments during processing of incoming e-mail messages, which allows attackers to obtain sensitive information via a crafted application. | |||||
| CVE-2014-1978 | 2 Google, Nttdocomo | 2 Android, Spmode Mail Android | 2014-03-20 | 4.3 MEDIUM | N/A |
| The application link interface in the NTT DOCOMO sp mode mail application 6100 through 6300 for Android 4.0.x and 6130 through 6700 for Android 4.1 through 4.4 writes message content to the SD card during e-mail composition, which allows attackers to obtain sensitive information via a crafted application. | |||||
| CVE-2012-2212 | 1 Mcafee | 1 Web Gateway | 2014-03-19 | 5.0 MEDIUM | N/A |
| ** DISPUTED ** McAfee Web Gateway 7.0 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher did not provide configuration details for the vulnerable system, and the observed behavior might be consistent with a configuration that was (perhaps inadvertently) designed to allow access based on Host HTTP headers. | |||||
| CVE-2013-2047 | 1 Owncloud | 1 Owncloud | 2014-03-17 | 2.1 LOW | N/A |
| The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password. | |||||
| CVE-2013-2048 | 1 Owncloud | 1 Owncloud | 2014-03-17 | 6.5 MEDIUM | N/A |
| ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands. | |||||
| CVE-2013-2043 | 1 Owncloud | 1 Owncloud | 2014-03-17 | 4.0 MEDIUM | N/A |
| apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter. | |||||
| CVE-2013-1963 | 1 Owncloud | 1 Owncloud | 2014-03-17 | 4.0 MEDIUM | N/A |
| The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors. | |||||
| CVE-2013-6476 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2014-03-17 | 4.4 MEDIUM | N/A |
| The OPVPWrapper::loadDriver function in oprs/OPVPWrapper.cxx in the pdftoopvp filter in CUPS and cups-filters before 1.0.47 allows local users to gain privileges via a Trojan horse driver in the same directory as the PDF file. | |||||