Search
Total
5300 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3790 | 1 Vmware | 1 Vcenter Server Appliance | 2014-06-21 | 9.0 HIGH | N/A |
| Ruby vSphere Console (RVC) in VMware vCenter Server Appliance allows remote authenticated users to execute arbitrary commands as root by escaping from a chroot jail. | |||||
| CVE-2014-0167 | 1 Openstack | 2 Compute, Icehouse | 2014-06-21 | 6.0 MEDIUM | N/A |
| The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests. | |||||
| CVE-2013-1068 | 1 Canonical | 1 Ubuntu Linux | 2014-06-20 | 5.0 MEDIUM | N/A |
| The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability. | |||||
| CVE-2014-2504 | 1 Emc | 1 Documentum D2 | 2014-06-18 | 9.0 HIGH | N/A |
| EMC Documentum D2 3.1 before P20, 3.1 SP1 before P02, 4.0 before P10, 4.1 before P13, and 4.2 before P01 allows remote authenticated users to bypass intended access restrictions and execute arbitrary Documentum Query Language (DQL) queries by calling (1) a core method or (2) a D2FS web-service method. | |||||
| CVE-2014-2084 | 1 Skyboxsecurity | 2 Skybox View Appliance, Skybox View Appliance Iso | 2014-06-13 | 8.5 HIGH | N/A |
| Skybox View Appliances with ISO 6.3.33-2.14, 6.3.31-2.14, 6.4.42-2.54, 6.4.45-2.56, and 6.4.46-2.57 does not properly restrict access to the Admin interface, which allows remote attackers to obtain sensitive information via a request to (1) scripts/commands/getSystemInformation or (2) scripts/commands/getNetworkConfigurationInfo, cause a denial of service (reboot) via a request to scripts/commands/reboot, or cause a denial of service (shutdown) via a request to scripts/commands/shutdown. | |||||
| CVE-2013-7065 | 1 Organic Groups Project | 1 Organic Groups | 2014-06-13 | 5.8 MEDIUM | N/A |
| The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote attackers to bypass access restrictions and post to arbitrary groups via a group audience field, as demonstrated by the og_group_ref field. | |||||
| CVE-2014-3980 | 1 Daiki Ueno | 1 Libfep | 2014-06-12 | 4.6 MEDIUM | N/A |
| libfep 0.0.5 before 0.1.0 does not properly use UNIX domain sockets in the abstract namespace, which allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2012-5390 | 1 Condor Project | 1 Condor | 2014-06-09 | 10.0 HIGH | N/A |
| The standard universe shadow (condor_shadow.std) component in Condor 7.7.3 through 7.7.6, 7.8.0 before 7.8.5, and 7.9.0 does no properly check privileges, which allows remote attackers to gain privileges via a crafted standard universe job. | |||||
| CVE-2014-3837 | 1 Owncloud | 1 Owncloud | 2014-06-05 | 4.0 MEDIUM | N/A |
| The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors. | |||||
| CVE-2014-3838 | 1 Owncloud | 1 Owncloud | 2014-06-05 | 4.0 MEDIUM | N/A |
| ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts. | |||||
| CVE-2014-3963 | 1 Owncloud | 1 Owncloud | 2014-06-05 | 4.0 MEDIUM | N/A |
| ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors. | |||||
| CVE-2013-0304 | 1 Owncloud | 1 Owncloud | 2014-06-05 | 4.0 MEDIUM | N/A |
| ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is. | |||||
| CVE-2014-3835 | 1 Owncloud | 1 Owncloud | 2014-06-05 | 5.5 MEDIUM | N/A |
| ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors. | |||||
| CVE-2014-3834 | 1 Owncloud | 1 Owncloud | 2014-06-04 | 7.5 HIGH | N/A |
| ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors. | |||||
| CVE-2013-4596 | 1 Danielkorte | 1 Nodeaccesskeys | 2014-06-03 | 5.8 MEDIUM | N/A |
| The Node Access Keys module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote attackers to bypass access restrictions via a node listing. | |||||
| CVE-2014-3417 | 1 Jasig | 1 Uportal | 2014-05-30 | 6.5 MEDIUM | N/A |
| uPortal before 4.0.13.1 does not properly check the CONFIG permission, which allows remote authenticated users to configure portlets by leveraging the SUBSCRIBE permission for a portlet. | |||||
| CVE-2014-3416 | 1 Jasig | 1 Uportal | 2014-05-30 | 6.5 MEDIUM | N/A |
| uPortal before 4.0.13.1 does not properly check the MANAGE permissions, which allows remote authenticated users to manage arbitrary portlets by leveraging the SUBSCRIBE permission for the portlet-admin portlet. | |||||
| CVE-2014-0201 | 1 Redhat | 1 Rhevm-reports | 2014-05-30 | 2.1 LOW | N/A |
| ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports package (rhevm-reports) before 3.3.3, uses world-readable permissions on configuration files, which allows local users to obtain sensitive information by reading the files. | |||||
| CVE-2014-0200 | 1 Redhat | 1 Rhevm-reports | 2014-05-30 | 2.1 LOW | N/A |
| The Red Hat Enterprise Virtualization Manager reports (rhevm-reports) package before 3.3.3-1 uses world-readable permissions on the datasource configuration file (js-jboss7-ds.xml), which allows local users to obtain sensitive information by reading the file. | |||||
| CVE-2013-4177 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2014-05-30 | 5.0 MEDIUM | N/A |
| The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors. | |||||
| CVE-2012-0943 | 2 Canonical, Robert Ancell | 2 Ubuntu Linux, Lightdm | 2014-05-30 | 2.1 LOW | N/A |
| debian/guest-account in Light Display Manager (lightdm) 1.0.x before 1.0.6 and 1.1.x before 1.1.7, as used in Ubuntu Linux 11.10, allows local users to delete arbitrary files via a space in the name of a file in /tmp. NOTE: this identifier was SPLIT per ADT1/ADT2 due to different codebases and affected versions. CVE-2012-6648 has been assigned for the gdm-guest-session issue. | |||||
| CVE-2014-2200 | 1 Cisco | 5 Nexus 7000, Nexus 7000 10-slot, Nexus 7000 18-slot and 2 more | 2014-05-27 | 7.1 HIGH | N/A |
| Cisco NX-OS 5.0 before 5.0(5) on Nexus 7000 devices, when local authentication and multiple VDCs are enabled, allows remote authenticated users to gain privileges within an unintended VDC via an SSH session to a management interface, aka Bug ID CSCti11629. | |||||
| CVE-2013-1191 | 1 Cisco | 5 Nexus 7000, Nexus 7000 10-slot, Nexus 7000 18-slot and 2 more | 2014-05-27 | 7.1 HIGH | N/A |
| Cisco NX-OS 6.1 before 6.1(5) on Nexus 7000 devices, when local authentication and multiple VDCs are enabled, allows remote authenticated users to gain privileges within an unintended VDC via crafted SSH key data in an SSH session to a management interface, aka Bug ID CSCud88400. | |||||
| CVE-2014-3849 | 1 Imember360 | 1 Imember360 | 2014-05-27 | 4.3 MEDIUM | N/A |
| The iMember360 plugin 3.8.012 through 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to delete arbitrary users via a request containing a user name in the Email parameter and the API key in the i4w_clearuser parameter. | |||||
| CVE-2014-3848 | 1 Imember360 | 1 Imember360 | 2014-05-27 | 5.0 MEDIUM | N/A |
| The iMember360 plugin before 3.9.001 for WordPress does not properly restrict access, which allows remote attackers to obtain database credentials via the i4w_dbinfo parameter. | |||||
| CVE-2014-2349 | 1 Emerson | 1 Deltav | 2014-05-23 | 4.6 MEDIUM | N/A |
| Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 allows local users to modify or read configuration files by leveraging engineering-level privileges. | |||||
| CVE-2013-7383 | 1 X2go | 1 X2go Server | 2014-05-21 | 9.0 HIGH | N/A |
| x2gocleansessions in X2Go Server before 4.0.0.8 and 4.0.1.x before 4.0.1.10 allows remote authenticated users to gain privileges via unspecified vectors, possibly related to backticks. | |||||
| CVE-2013-4320 | 1 Typo3 | 1 Typo3 | 2014-05-21 | 5.5 MEDIUM | N/A |
| The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL. | |||||
| CVE-2012-6146 | 1 Typo3 | 1 Typo3 | 2014-05-21 | 4.0 MEDIUM | N/A |
| The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted URL. | |||||
| CVE-2013-4431 | 1 Mahara | 1 Mahara | 2014-05-19 | 5.5 MEDIUM | N/A |
| Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly prevent access to blocks, which allows remote authenticated users to modify arbitrary blocks via the bock id in an edit request. | |||||
| CVE-2013-4432 | 1 Mahara | 1 Mahara | 2014-05-19 | 4.0 MEDIUM | N/A |
| Mahara before 1.5.13, 1.6.x before 1.6.8, and 1.7.x before 1.7.4 does not properly restrict access to folders, which allows remote authenticated users to read arbitrary folders (1) by leveraging an active folder tab loaded before permissions were removed or (2) via the folder parameter to artefact/file/groupfiles.php. | |||||
| CVE-2013-4429 | 1 Mahara | 1 Mahara | 2014-05-19 | 4.0 MEDIUM | N/A |
| Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly restrict access to artefacts, which allows remote authenticated users to read arbitrary artefacts via the (1) artefact id in an upload action when creating a journal or (2) instconf_artefactid_selected[ID] parameter in an upload action when editing a block. | |||||
| CVE-2013-4406 | 1 Quick Tabs Module Project | 1 Quicktabs | 2014-05-19 | 5.0 MEDIUM | N/A |
| The Quick Tabs module 6.x-2.x before 6.x-2.2, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.6 for Drupal does not properly check block permissions, which allows remote attackers to obtain sensitive information by reading a Quick Tab. | |||||
| CVE-2014-1347 | 1 Apple | 2 Itunes, Mac Os X | 2014-05-19 | 4.4 MEDIUM | N/A |
| Apple iTunes before 11.2.1 on OS X sets world-writable permissions for /Users and /Users/Shared during reboots, which allows local users to modify files, and consequently obtain access to arbitrary user accounts, via standard filesystem operations. | |||||
| CVE-2013-4498 | 2 Drupal, Florian Weber | 2 Drupal, Spaces | 2014-05-19 | 2.1 LOW | N/A |
| The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content. | |||||
| CVE-2014-0512 | 1 Adobe | 1 Acrobat Reader | 2014-05-16 | 10.0 HIGH | N/A |
| Adobe Reader 11.0.06 allows attackers to bypass a PDF sandbox protection mechanism via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. | |||||
| CVE-2014-0078 | 1 Redhat | 1 Cloudforms 3.0 Management Engine | 2014-05-15 | 4.0 MEDIUM | N/A |
| The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID. | |||||
| CVE-2013-4455 | 1 Katello | 1 Katello Installer | 2014-05-15 | 2.1 LOW | N/A |
| Katello Installer before 0.0.18 uses world-readable permissions for /etc/pki/tls/private/katello-node.key when deploying a child Pulp node, which allows local users to obtain the private key by reading the file. | |||||
| CVE-2013-4502 | 2 Drupal, Nathan Haug | 2 Drupal, Filefield Sources | 2014-05-14 | 4.0 MEDIUM | N/A |
| The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file. | |||||
| CVE-2013-4504 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2014-05-14 | 2.6 LOW | N/A |
| The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL. | |||||
| CVE-2013-4501 | 1 Quiz Module Project | 1 Quiz | 2014-05-14 | 5.0 MEDIUM | N/A |
| The default views in the Quiz module 6.x-4.x before 6.x-4.5 for Drupal allows remote attackers to obtain sensitive quiz results via unspecified vectors. | |||||
| CVE-2013-4500 | 1 Quiz Module Project | 1 Quiz | 2014-05-14 | 4.9 MEDIUM | N/A |
| The Quiz module 6.x-4.x before 6.x-4.5 for Drupal allows remote authenticated users with the "view any quiz results" or "view results for own quiz" permission to delete arbitrary results via the delete option. | |||||
| CVE-2014-0525 | 3 Adobe, Apple, Microsoft | 4 Acrobat, Acrobat Reader, Mac Os X and 1 more | 2014-05-14 | 10.0 HIGH | N/A |
| The API in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X does not prevent access to unmapped memory, which allows attackers to execute arbitrary code via unspecified API calls. | |||||
| CVE-2013-4577 | 1 Gnu | 1 Grub | 2014-05-12 | 2.1 LOW | N/A |
| A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the file. | |||||
| CVE-2014-3133 | 1 Sap | 1 Netweaver Java Application Server | 2014-05-10 | 5.0 MEDIUM | N/A |
| SAP Netweaver Java Application Server does not properly restrict access, which allows remote attackers to obtain the list of SAP systems registered on an SLD via an unspecified webdynpro, related to SystemSelection. | |||||
| CVE-2014-3130 | 1 Sap | 1 Netweaver Abap Application Server | 2014-05-10 | 4.6 MEDIUM | N/A |
| The ABAP Help documentation and translation tools (BC-DOC-HLP) in Basis in SAP Netweaver ABAP Application Server does not properly restrict access, which allows local users to gain privileges and execute ABAP instructions via crafted help messages. | |||||
| CVE-2014-3131 | 1 Sap | 1 Profile Maintenance | 2014-05-10 | 4.0 MEDIUM | N/A |
| SAP Profile Maintenance does not properly restrict access, which allows remote authenticated users to obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1. | |||||
| CVE-2014-3132 | 1 Sap | 1 Background Processing | 2014-05-10 | 4.0 MEDIUM | N/A |
| SAP Background Processing does not properly restrict access, which allows remote authenticated users to obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1. | |||||
| CVE-2013-5572 | 1 Zabbix | 1 Zabbix | 2014-05-10 | 3.5 LOW | N/A |
| Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code. | |||||
| CVE-2014-0135 | 1 Theforeman | 1 Kafo | 2014-05-09 | 1.9 LOW | N/A |
| Kafo before 0.3.17 and 0.4.x before 0.5.2, as used by Foreman, uses world-readable permissions for default_values.yaml, which allows local users to obtain passwords and other sensitive information by reading the file. | |||||