Search
Total
5300 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-1425 | 2 Canonical, Linuxcontainers | 2 Ubuntu Linux, Cgmanager | 2015-01-08 | 2.1 LOW | N/A |
| cmanager 0.32 does not properly enforce nesting when modifying cgroup properties, which allows local users to set cgroup values for all cgroups via unspecified vectors. | |||||
| CVE-2014-8131 | 1 Redhat | 1 Libvirt | 2015-01-06 | 4.0 MEDIUM | N/A |
| The qemu implementation of virConnectGetAllDomainStats in libvirt before 1.2.11 does not properly handle locks when a domain is skipped due to ACL restrictions, which allows a remote authenticated users to cause a denial of service (deadlock or segmentation fault and crash) via a request to access the users does not have privileges to access. | |||||
| CVE-2013-6457 | 1 Redhat | 1 Libvirt | 2015-01-03 | 5.2 MEDIUM | N/A |
| The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free operation and crash) or possibly execute arbitrary code via an inactive domain to the virsh numatune command. | |||||
| CVE-2014-0028 | 1 Redhat | 1 Libvirt | 2015-01-03 | 4.3 MEDIUM | N/A |
| libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny functions in the event registration API. | |||||
| CVE-2013-6436 | 1 Redhat | 1 Libvirt | 2015-01-03 | 2.1 LOW | N/A |
| The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command. | |||||
| CVE-2011-5294 | 1 Kofax | 1 Kofax E-transactions Sender Sendbox | 2015-01-03 | 6.4 MEDIUM | N/A |
| The SaveMessage method in the LEADeMail.LEADSmtp.20 ActiveX control in LTCML14n.dll 14.0.0.34 in Kofax e-Transactions Sender Sendbox 2.5.0.933 allows remote attackers to write to arbitrary files via a pathname in the first argument. | |||||
| CVE-2011-5292 | 1 Easewe Software | 1 Easewe Ftp Ocx Activex Control | 2015-01-03 | 7.5 HIGH | N/A |
| The EaseWeFtp.FtpLibrary ActiveX control in EaseWeFtp.ocx in Easewe FTP OCX 4.5.0.9 does not restrict access to certain methods, which allows remote attackers to execute arbitrary files via a pathname in the first argument to the (1) Execute or (2) Run method, (3) write to arbitrary files via a pathname in the argument to the CreateLocalFile method, (4) create arbitrary directories via a pathname in the argument to the CreateLocalFolder method, or (5) delete arbitrary files via a pathname in the argument to the DeleteLocalFile method. | |||||
| CVE-2011-5291 | 1 Ashampoo Gmbh \& Co. | 1 Ashampoo 3d Cad Professional 3 | 2015-01-03 | 6.4 MEDIUM | N/A |
| The SaveData method in the Cygnicon.ViewControl.1 ActiveX control in CyViewer.ocx in Ashampoo 3D CAD Professional 3.x before 3.0.2 allows remote attackers to write to arbitrary files via a pathname in the first argument. | |||||
| CVE-2011-5290 | 1 Idrive Inc | 1 Idrive Online Backup | 2015-01-03 | 6.4 MEDIUM | N/A |
| The SaveToFile method in the UniBasicPack.UniTextBox ActiveX control in UniBasic100_EDA1811C.ocx in IDrive Online Backup 3.4.0 allows remote attackers to write to arbitrary files via a pathname in the first argument. | |||||
| CVE-2011-5289 | 1 Diego Uscanga | 1 Atube Catcher | 2015-01-03 | 6.4 MEDIUM | N/A |
| The SaveDecrypted method in the ChilkatCrypt2.ChilkatOmaDrm.1 ActiveX control in ChilkatCrypt2.dll in aTube Catcher 2.3.570 allows remote attackers to write to arbitrary files via a pathname in the argument. | |||||
| CVE-2013-4400 | 1 Redhat | 1 Libvirt | 2015-01-02 | 7.2 HIGH | N/A |
| virt-login-shell in libvirt 1.1.2 through 1.1.3 allows local users to overwrite arbitrary files and possibly gain privileges via unspecified environment variables or command-line arguments. | |||||
| CVE-2013-4401 | 1 Redhat | 1 Libvirt | 2015-01-02 | 8.5 HIGH | N/A |
| The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3 checks for the connect:read permission instead of the connect:write permission, which allows attackers to gain domain:write privileges and execute Qemu binaries via crafted XML. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2014-2209 | 1 Facebook | 1 Hiphop Virtual Machine | 2014-12-30 | 5.0 MEDIUM | N/A |
| Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory. | |||||
| CVE-2014-7995 | 1 Cisco | 6 Meraki Mr, Meraki Mr Firmware, Meraki Ms and 3 more | 2014-12-24 | 7.2 HIGH | N/A |
| Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 allow physically proximate attackers to obtain shell access by opening a device's case and connecting a cable to a serial port, aka Cisco-Meraki defect ID 00302077. | |||||
| CVE-2014-7999 | 1 Cisco | 6 Meraki Mr, Meraki Mr Firmware, Meraki Ms and 3 more | 2014-12-24 | 7.7 HIGH | N/A |
| Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 allow remote authenticated users to install arbitrary firmware by leveraging unspecified HTTP handler access on the local network, aka Cisco-Meraki defect ID 00478565. | |||||
| CVE-2014-9193 | 1 Innominate | 1 Mguard Firmware | 2014-12-22 | 9.0 HIGH | N/A |
| Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting. | |||||
| CVE-2014-4626 | 1 Emc | 1 Documentum Content Server | 2014-12-17 | 9.0 HIGH | N/A |
| EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18, 7.0 before P16, and 7.1 before P09 allows remote authenticated users to gain privileges by (1) placing a command in a dm_job object and setting this object's owner to a privileged user or placing a rename action in a dm_job_request object and waiting for a (2) dm_UserRename or (3) dm_GroupRename service task, aka ESA-2014-105. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2515. | |||||
| CVE-2014-9141 | 1 Thomsonreuters | 1 Fixed Assets Cs | 2014-12-17 | 7.2 HIGH | N/A |
| The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier uses weak permissions for connectbgdl.exe, which allows local users to execute arbitrary code by modifying this program. | |||||
| CVE-2014-8610 | 1 Google | 1 Android | 2014-12-16 | 3.3 LOW | N/A |
| AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit arbitrary new draft SMS messages or trigger additional per-message charges from a network operator for old messages, via a crafted application that broadcasts an intent with the com.android.mms.transaction.MESSAGE_SENT action, aka Bug 17671795. | |||||
| CVE-2014-8609 | 1 Google | 1 Android | 2014-12-16 | 7.2 HIGH | N/A |
| The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824. | |||||
| CVE-2014-7911 | 1 Google | 1 Android | 2014-12-16 | 7.2 HIGH | N/A |
| luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291. | |||||
| CVE-2012-5696 | 1 Bulbsecurity | 1 Smartphone Pentest Framework | 2014-12-16 | 5.0 MEDIUM | N/A |
| Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request. | |||||
| CVE-2012-5697 | 1 Bulbsecurity | 1 Smartphone Pentest Framework | 2014-12-16 | 4.6 MEDIUM | N/A |
| The btinstall installation script in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 uses weak permissions (777) for all files in the frameworkgui/ directory, which allows local users to obtain sensitive information or inject arbitrary Perl code via direct access to these files. | |||||
| CVE-2014-6408 | 1 Docker | 1 Docker | 2014-12-15 | 5.0 MEDIUM | N/A |
| Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image. | |||||
| CVE-2014-9113 | 1 Cchgroup | 1 Prosystem Fx Engagement | 2014-12-15 | 7.2 HIGH | N/A |
| CCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) 7.1 and earlier uses weak permissions (Authenticated Users: Modify and Write) for the (1) Pfx.Engagement.WcfServices, (2) PFXEngDesktopService, (3) PFXSYNPFTService, and (4) P2EWinService service files in PFX Engagement\, which allows local users to obtain LocalSystem privileges via a Trojan horse file. | |||||
| CVE-2013-2077 | 1 Xen | 1 Xen | 2014-12-12 | 5.2 MEDIUM | N/A |
| Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors. | |||||
| CVE-2013-2211 | 1 Xen | 1 Xen | 2014-12-12 | 7.4 HIGH | N/A |
| The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors. | |||||
| CVE-2014-8453 | 3 Adobe, Apple, Microsoft | 4 Acrobat, Acrobat Reader, Mac Os X and 1 more | 2014-12-12 | 5.0 MEDIUM | N/A |
| Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors. | |||||
| CVE-2014-9091 | 1 Icecast | 1 Icecast | 2014-12-11 | 4.6 MEDIUM | N/A |
| Icecast before 2.4.0 does not change the supplementary group privileges when <changeowner> is configured, which allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2014-3703 | 1 Redhat | 1 Packstack | 2014-12-05 | 5.0 MEDIUM | N/A |
| OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS) monolithic plug-in is not used, does not properly set the libvirt_vif_driver configuration option when generating the nova.conf configuration, which causes the firewall to be disabled and allows remote attackers to bypass intended access restrictions. | |||||
| CVE-2014-5284 | 1 Ossec | 1 Ossec | 2014-12-02 | 7.2 HIGH | N/A |
| host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed. | |||||
| CVE-2014-5268 | 1 Fasttoggle Project | 1 Fasttoggle | 2014-12-01 | 5.8 MEDIUM | N/A |
| The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link. | |||||
| CVE-2014-8558 | 1 Jexperts | 1 Channel Platform | 2014-11-26 | 6.5 MEDIUM | N/A |
| JExperts Channel Platform 5.0.33_CCB allows remote authenticated users to bypass access restrictions via crafted action and key parameters. | |||||
| CVE-2014-1424 | 2 Canonical, Ubuntu | 2 Ubuntu, Apparmor | 2014-11-24 | 6.4 MEDIUM | N/A |
| apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw." | |||||
| CVE-2014-7194 | 1 Tibco | 4 Managed File Transfer Command Center, Managed File Transfer Internet Server, Slingshot and 1 more | 2014-11-21 | 6.4 MEDIUM | N/A |
| TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access. | |||||
| CVE-2014-9026 | 1 Ubercart | 1 Ubercart | 2014-11-21 | 4.0 MEDIUM | N/A |
| The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors. | |||||
| CVE-2014-9022 | 1 Web Component Roles Project | 1 Web Component Roles | 2014-11-20 | 6.4 MEDIUM | N/A |
| The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted form. | |||||
| CVE-2014-9024 | 1 Protected Pages Project | 1 Protected Pages | 2014-11-20 | 7.5 HIGH | N/A |
| The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows remote attackers to bypass the password protection via a crafted path. | |||||
| CVE-2014-9000 | 1 Mulesoft | 1 Mule Enterprise Management Console | 2014-11-20 | 6.5 MEDIUM | N/A |
| Mule Enterprise Management Console (MMC) does not properly restrict access to handler/securityService.rpc, which allows remote authenticated users to gain administrator privileges and execute arbitrary code via a crafted request that adds a new user. NOTE: this issue was originally reported for ESB Runtime 3.5.1, but it originates in MMC. | |||||
| CVE-2013-7345 | 1 Christos Zoulas | 1 File | 2014-11-19 | 5.0 MEDIUM | N/A |
| The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. | |||||
| CVE-2014-3209 | 1 Nlnetlabs | 1 Ldns | 2014-11-17 | 2.1 LOW | N/A |
| The ldns-keygen tool in ldns 1.6.x uses the current umask to set the privileges of the private key, which might allow local users to obtain the private key by reading the file. | |||||
| CVE-2014-5424 | 1 Rockwellautomation | 1 Connected Components Workbench | 2014-11-14 | 7.5 HIGH | N/A |
| Rockwell Automation Connected Components Workbench (CCW) before 7.00.00 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an invalid property value to an ActiveX control that was built with an outdated compiler. | |||||
| CVE-2012-5243 | 1 Bananadance | 1 Banana Dance | 2014-10-24 | 5.0 MEDIUM | N/A |
| functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request. | |||||
| CVE-2014-7298 | 1 Centrify | 2 Centrify Suite, Directcontrol | 2014-10-24 | 4.9 MEDIUM | N/A |
| adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality. | |||||
| CVE-2009-1173 | 1 Ibm | 1 Websphere Application Server | 2014-10-24 | 2.1 LOW | N/A |
| IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used. | |||||
| CVE-2014-3381 | 1 Cisco | 1 Asyncos | 2014-10-22 | 5.0 MEDIUM | N/A |
| The ZIP inspection engine in Cisco AsyncOS 8.5 and earlier on the Cisco Email Security Appliance (ESA) does not properly analyze ZIP archives, which allows remote attackers to bypass malware filtering via a crafted archive, aka Bug ID CSCup07934. | |||||
| CVE-2014-4867 | 1 Cryoserver | 1 Cryoserver Security Appliance | 2014-10-15 | 6.8 MEDIUM | N/A |
| Cryoserver Security Appliance 7.3.x uses weak permissions for /etc/init.d/cryoserver, which allows local users to gain privileges by leveraging access to the support account and running the /bin/cryo-mgmt program. | |||||
| CVE-2014-6288 | 1 Alex Kellner | 1 Powermail | 2014-10-10 | 7.5 HIGH | N/A |
| The powermail extension 2.x before 2.0.11 for TYPO3 allows remote attackers to bypass the CAPTCHA protection mechanism via unspecified vectors. | |||||
| CVE-2014-5267 | 1 Drupal | 1 Drupal | 2014-10-10 | 6.8 MEDIUM | N/A |
| modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. | |||||
| CVE-2014-7984 | 1 Joomla | 1 Joomla\! | 2014-10-10 | 7.5 HIGH | N/A |
| Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication. | |||||