advantech -- advantech_webaccess |
Unspecified
vulnerability in Advantech WebAccess before
7.2 allows remote authenticated users to
create or delete arbitrary files via unknown
vectors. |
2014-07-19 |
5.5 |
CVE-2014-2365 |
advantech -- advantech_webaccess |
upAdminPg.asp
in Advantech WebAccess before 7.2 allows
remote authenticated users to discover
credentials by reading HTML source code. |
2014-07-19 |
4.0 |
CVE-2014-2366 |
advantech -- advantech_webaccess |
The
ChkCookie subroutine in an ActiveX control
in broadweb/include/gChkCook.asp in
Advantech WebAccess before 7.2 allows remote
attackers to read arbitrary files via a
crafted call. |
2014-07-19 |
4.3 |
CVE-2014-2367 |
advantech -- advantech_webaccess |
The
BrowseFolder method in the bwocxrun ActiveX
control in Advantech WebAccess before 7.2
allows remote attackers to read arbitrary
files via a crafted call. |
2014-07-19 |
5.0 |
CVE-2014-2368 |
apache -- http_server |
The
cache_invalidate function in
modules/cache/cache_storage.c in the
mod_cache module in the Apache HTTP Server
2.4.6, when a caching forward proxy is
enabled, allows remote HTTP servers to cause
a denial of service (NULL pointer
dereference and daemon crash) via vectors
that trigger a missing hostname value. |
2014-07-20 |
4.3 |
CVE-2013-4352
CONFIRM
CONFIRM
CONFIRM |
apache -- http_server |
The
mod_proxy module in the Apache HTTP Server
2.4.x before 2.4.10, when a reverse proxy is
enabled, allows remote attackers to cause a
denial of service (child-process crash) via
a crafted HTTP Connection header. |
2014-07-20 |
4.3 |
CVE-2014-0117
CONFIRM
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
apache -- http_server |
The
deflate_in_filter function in mod_deflate.c
in the mod_deflate module in the Apache HTTP
Server before 2.4.10, when request body
decompression is enabled, allows remote
attackers to cause a denial of service
(resource consumption) via crafted request
data that decompresses to a much larger
size. |
2014-07-20 |
4.3 |
CVE-2014-0118
CONFIRM
CONFIRM
CONFIRM |
apache -- http_server |
Race
condition in the mod_status module in the
Apache HTTP Server before 2.4.10 allows
remote attackers to cause a denial of
service (heap-based buffer overflow), or
possibly obtain sensitive credential
information or execute arbitrary code, via a
crafted request that triggers improper
scoreboard handling within the
status_handler function in
modules/generators/mod_status.c and the
lua_ap_scoreboard_worker function in
modules/lua/lua_request.c. |
2014-07-20 |
6.8 |
CVE-2014-0226
CONFIRM
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
apache -- http_server |
The
mod_cgid module in the Apache HTTP Server
before 2.4.10 does not have a timeout
mechanism, which allows remote attackers to
cause a denial of service (process hang) via
a request to a CGI script that does not read
from its stdin file descriptor. |
2014-07-20 |
5.0 |
CVE-2014-0231
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
apache -- http_server |
Memory
leak in the winnt_accept function in
server/mpm/winnt/child.c in the WinNT MPM in
the Apache HTTP Server 2.4.x before 2.4.10
on Windows, when the default AcceptFilter is
enabled, allows remote attackers to cause a
denial of service (memory consumption) via
crafted requests. |
2014-07-20 |
5.0 |
CVE-2014-3523
CONFIRM
CONFIRM |
canonical -- acpi-support |
Race
condition in the power policy functions in
policy-funcs in acpi-support before 0.142
allows local users to gain privileges via
unspecified vectors. |
2014-07-24 |
6.9 |
CVE-2014-1419
CONFIRM |
cgminer_project -- cgminer |
The
parse_notify function in util.c in sgminer
before 4.2.2 and cgminer 3.3.0 through 4.0.1
allows man-in-the-middle attackers to cause
a denial of service (application exit) via a
crafted (1) bbversion, (2) prev_hash, (3)
nbit, or (4) ntime parameter in a
mining.notify action stratum message. |
2014-07-23 |
4.3 |
CVE-2014-4503
FULLDISC |
cisco -- asr_9000_rsp440_router |
Cisco
IOS XR 4.3(.2) and earlier on ASR 9000
devices does not properly perform NetFlow
sampling of IP packets, which allows remote
attackers to cause a denial of service (chip
and card hangs) via malformed (1) IPv4 or
(2) IPv6 packets, aka Bug ID CSCuo68417. |
2014-07-24 |
6.1 |
CVE-2014-3322 |
cisco --
unified_customer_voice_portal |
Multiple
cross-site scripting (XSS) vulnerabilities
in Cisco Unified Customer Voice Portal (CVP)
allow remote attackers to inject arbitrary
web script or HTML via a crafted parameter,
aka Bug IDs CSCuh61711, CSCuh61720,
CSCuh61723, CSCuh61726, CSCuh61727,
CSCuh61731, and CSCuh61733. |
2014-07-19 |
4.3 |
CVE-2014-3325 |
citrix -- xenserver |
Unspecified
vulnerability in Citrix XenServer 6.2
Service Pack 1 and earlier allows attackers
to cause a denial of service and obtain
sensitive information by modifying the guest
virtual hard disk (VHD). |
2014-07-22 |
6.4 |
CVE-2014-4948
BID |
cybozu -- garoon |
The
Portlets subsystem in Cybozu Garoon 2.x and
3.x before 3.7 SP4 allows remote
authenticated users to bypass intended
access restrictions via unspecified vectors. |
2014-07-20 |
4.0 |
CVE-2014-1993 |
dell -- sonicwall_analyzer |
Cross-site
scripting (XSS) vulnerability in
sgms/panelManager in Dell SonicWALL GMS,
Analyzer, and UMA before 7.2 SP1 allows
remote attackers to inject arbitrary web
script or HTML via the node_id parameter. |
2014-07-24 |
4.3 |
CVE-2014-5024
BID
FULLDISC
MISC |
drupal -- drupal |
The
multisite feature in Drupal 6.x before 6.32
and 7.x before 7.29 allows remote attackers
to cause a denial of service via a crafted
HTTP Host header, related to determining
which configuration file to use. |
2014-07-22 |
5.0 |
CVE-2014-5019
DEBIAN |
drupal -- drupal |
The
File module in Drupal 7.x before 7.29 does
not properly check permissions to view
files, which allows remote authenticated
users with certain permissions to bypass
intended restrictions and read files by
attaching the file to content with a file
field. |
2014-07-22 |
4.9 |
CVE-2014-5020
DEBIAN |
drupal -- drupal |
Cross-site
scripting (XSS) vulnerability in the Ajax
system in Drupal 7.x before 7.29 allows
remote attackers to inject arbitrary web
script or HTML via vectors involving forms
with an Ajax-enabled textfield and a file
field. |
2014-07-22 |
4.3 |
CVE-2014-5022
DEBIAN |
e107 -- e107 |
Cross-site
scripting (XSS) vulnerability in
e107_admin/db.php in e107 2.0 alpha2 and
earlier allows remote attackers to inject
arbitrary web script or HTML via the type
parameter. |
2014-07-21 |
4.3 |
CVE-2014-4734
MISC
CONFIRM
BID
BUGTRAQ |
emc -- recoverpoint_appliance |
The
default configuration of EMC RecoverPoint
Appliance (RPA) 4.1 before 4.1.0.1 does not
enable a firewall, which allows remote
attackers to obtain potentially sensitive
information about open ports, or cause a
denial of service, by sending packets to
many ports. |
2014-07-19 |
5.8 |
CVE-2014-2519
BUGTRAQ |
entity_api_module_project --
entity_api_module |
The
Entity API module 7.x-1.x before 7.x-1.2 for
Drupal does not properly restrict access to
node comments, which allows remote
authenticated users to read the comments via
unspecified vectors. NOTE: this identifier
was SPLIT per ADT5 due to different
researcher organizations. CVE-2013-7391 was
assigned for the View vector. |
2014-07-19 |
4.0 |
CVE-2013-4273
CONFIRM
MLIST |
entity_api_module_project --
entity_api_module |
The
Entity API module 7.x-1.x before 7.x-1.2 for
Drupal, when using the (a) Views field or
(b) area plugins, allows remote attackers to
read restricted entities via the (1) field,
(2) header, or (3) footer of a View. NOTE:
this identifier was SPLIT from CVE-2013-4273
per ADT5 due to different researcher
organizations. |
2014-07-19 |
5.0 |
CVE-2013-7391
MLIST |
eterna -- bozohttpd |
bozotic
HTTP server (aka bozohttpd) before 20140708,
as used in NetBSD, truncates paths when
checking .htpasswd restrictions, which
allows remote attackers to bypass the HTTP
authentication scheme and access
restrictions via a long path. |
2014-07-24 |
5.0 |
CVE-2014-5015
XF
BID
OSVDB
CONFIRM
MLIST |
gitlist -- gitlist |
Repository.php
in Gitter, as used in Gitlist, allows remote
attackers with commit privileges to execute
arbitrary commands via shell metacharacters
in a branch name, as demonstrated by a "git
checkout -b" command. |
2014-07-22 |
6.8 |
CVE-2014-5023
MISC |
google -- chrome |
The
WebContentsDelegateAndroid::OpenURLFromTab
function in
components/web_contents_delegate_android/web_contents_delegate_android.cc
in Google Chrome before 36.0.1985.122 on
Android does not properly restrict URL
loading, which allows remote attackers to
spoof the URL in the Omnibox via unspecified
vectors. |
2014-07-20 |
6.4 |
CVE-2014-3159
CONFIRM
CONFIRM |
google -- chrome |
Multiple
unspecified vulnerabilities in Google Chrome
before 36.0.1985.125 allow attackers to
cause a denial of service or possibly have
other impact via unknown vectors. |
2014-07-20 |
5.0 |
CVE-2014-3162
CONFIRM |
honeywell --
falcon_xlweb_linux_controller |
Multiple
cross-site scripting (XSS) vulnerabilities
on Honeywell FALCON XLWeb Linux controller
devices 2.04.01 and earlier and FALCON XLWeb
XLWebExe controller devices 2.02.11 and
earlier allow remote attackers to inject
arbitrary web script or HTML via invalid
input. |
2014-07-24 |
4.3 |
CVE-2014-3110 |
huawei -- e355_web_ui |
Cross-site
scripting (XSS) vulnerability in the web
interface on the Huawei E355 CH1E355SM modem
with software 21.157.37.01.910 and Web UI
11.001.08.00.03 allows remote attackers to
inject arbitrary web script or HTML via an
SMS message. |
2014-07-24 |
4.3 |
CVE-2014-2968 |
ibm --
storwize_unified_v7000_software |
IBM
Storwize V7000 Unified 1.3.x and 1.4.x
before 1.4.3.3 allows remote authenticated
users to gain privileges by leveraging
access to the service account. |
2014-07-19 |
6.5 |
CVE-2014-3043 |
ibm --
infosphere_master_data_management_collaboration_server |
The
GDS component in IBM InfoSphere Master Data
Management - Collaborative Edition 10.x and
11.x before 11.0 FP4 and InfoSphere Master
Data Management Server for Product
Information Management 9.0 and 9.1 allows
remote authenticated users to read arbitrary
files via a crafted UNIX file parameter. |
2014-07-19 |
6.3 |
CVE-2014-3064
XF |
limesurvey -- limesurvey |
Multiple
cross-site scripting (XSS) vulnerabilities
in LimeSurvey 2.05+ Build 140618 allow
remote attackers to inject arbitrary web
script or HTML via (1) the pid attribute to
the getAttribute_json function to
application/controllers/admin/participantsaction.php
in CPDB, (2) the sa parameter to
application/views/admin/globalSettings_view.php,
or (3) a crafted CSV file to the "Import
CSV" functionality. |
2014-07-21 |
4.3 |
CVE-2014-5016
MISC |
limesurvey -- limesurvey |
Incomplete
blacklist vulnerability in the autoEscape
function in common_helper.php in LimeSurvey
2.05+ Build 140618 allows remote attackers
to conduct cross-site scripting (XSS)
attacks via the GBK charset in the loadname
parameter to index.php, related to the
survey resume. |
2014-07-21 |
4.3 |
CVE-2014-5018
MISC |
linux -- linux_kernel |
The
PPPoL2TP feature in net/l2tp/l2tp_ppp.c in
the Linux kernel through 3.15.6 allows local
users to gain privileges by leveraging
data-structure differences between an l2tp
socket and an inet socket. |
2014-07-19 |
6.9 |
CVE-2014-4943
CONFIRM
CONFIRM
MLIST |
mit -- kerberos |
MIT
Kerberos 5 (aka krb5) before 1.12.2 allows
remote attackers to cause a denial of
service (buffer over-read and application
crash) by injecting invalid tokens into a
GSSAPI application session. |
2014-07-20 |
5.0 |
CVE-2014-4341
CONFIRM |
mit -- kerberos |
MIT
Kerberos 5 (aka krb5) 1.7.x through 1.12.x
before 1.12.2 allows remote attackers to
cause a denial of service (buffer over-read
or NULL pointer dereference, and application
crash) by injecting invalid tokens into a
GSSAPI application session. |
2014-07-20 |
5.0 |
CVE-2014-4342
CONFIRM |
mozilla -- firefox |
Mozilla
Firefox before 31.0 and Thunderbird before
31.0 do not properly implement the sandbox
attribute of the IFRAME element, which
allows remote attackers to bypass intended
restrictions on same-origin content via a
crafted web site in conjunction with a
redirect. |
2014-07-23 |
5.8 |
CVE-2014-1552
CONFIRM |
mozilla -- firefox |
Mozilla
Firefox before 31.0 and Thunderbird before
31.0 allow remote attackers to cause a
denial of service (X.509 certificate parsing
outage) via a crafted certificate that does
not use UTF-8 character encoding in a
required context, a different vulnerability
than CVE-2014-1559. |
2014-07-23 |
4.3 |
CVE-2014-1558
CONFIRM |
mozilla -- firefox |
Mozilla
Firefox before 31.0 and Thunderbird before
31.0 allow remote attackers to cause a
denial of service (X.509 certificate parsing
outage) via a crafted certificate that does
not use UTF-8 character encoding in a
required context, a different vulnerability
than CVE-2014-1558. |
2014-07-23 |
4.3 |
CVE-2014-1559
CONFIRM |
mozilla -- firefox |
Mozilla
Firefox before 31.0 and Thunderbird before
31.0 allow remote attackers to cause a
denial of service (X.509 certificate parsing
outage) via a crafted certificate that does
not use ASCII character encoding in a
required context. |
2014-07-23 |
4.3 |
CVE-2014-1560
CONFIRM |
mozilla -- firefox |
Mozilla
Firefox before 31.0 does not properly
restrict use of drag-and-drop events to
spoof customization events, which allows
remote attackers to alter the placement of
UI icons via crafted JavaScript code that is
encountered during (1) page, (2) panel, or
(3) toolbar customization. |
2014-07-23 |
5.8 |
CVE-2014-1561
CONFIRM
CONFIRM |
nexatechnologies -- meridian |
Cross-site
scripting (XSS) vulnerability in Nexa
Meridian before 2014 allows remote attackers
to inject arbitrary web script or HTML via
unspecified vectors. |
2014-07-20 |
4.3 |
CVE-2014-3892 |
nextapp -- file_explorer |
Directory
traversal vulnerability in the NextApp File
Explorer application before 2.1.0.3 for
Android allows remote attackers to overwrite
or create arbitrary files via a crafted
filename. |
2014-07-20 |
5.0 |
CVE-2014-1973 |
octavocms -- octavocms |
Cross-site
scripting (XSS) vulnerability in
admin/viewer.php in OctavoCMS allows remote
attackers to inject arbitrary web script or
HTML via the src parameter. |
2014-07-19 |
4.3 |
CVE-2014-4331
BID
BUGTRAQ
VIM |
omeka -- omeka |
Multiple
cross-site request forgery (CSRF)
vulnerabilities in Omeka before 2.2.1 allow
remote attackers to hijack the
authentication of administrators for
requests that (1) add a new super user
account via a request to admin/users/add,
(2) insert cross-site scripting (XSS)
sequences via the api_key_label parameter to
admin/users/api-keys/1, or (3) disable file
validation via a request to
admin/settings/edit-security. |
2014-07-25 |
6.8 |
CVE-2014-5100
XF
XF
MISC
MISC
BID
EXPLOIT-DB
MISC |
omron -- ns10_hmi_terminal |
Cross-site
request forgery (CSRF) vulnerability in the
web application on Omron NS5, NS8, NS10,
NS12, and NS15 HMI terminals 8.1xx through
8.68x allows remote authenticated users to
hijack the authentication of unspecified
victims via unknown vectors. |
2014-07-24 |
6.0 |
CVE-2014-2369 |
openstack -- neutron |
OpenStack
Neutron before 2013.2.4, 2014.x before
2014.1.2, and Juno before Juno-2 allows
remote authenticated users to cause a denial
of service (crash or long firewall rule
updates) by creating a large number of
allowed address pairs. |
2014-07-23 |
4.0 |
CVE-2014-3555
MISC
BID
MLIST |
php_kobo --
multifunctional_mailform_free |
Cross-site
scripting (XSS) vulnerability in PHP Kobo
Multifunctional MailForm Free 2014/1/28 and
earlier allows remote attackers to inject
arbitrary web script or HTML via an HTTP
Referer header. |
2014-07-20 |
4.3 |
CVE-2014-3894 |
phpmyadmin -- phpmyadmin |
server_user_groups.php
in phpMyAdmin 4.1.x before 4.1.14.2 and
4.2.x before 4.2.6 allows remote
authenticated users to bypass intended
access restrictions and read the MySQL user
list via a viewUsers request. |
2014-07-20 |
4.0 |
CVE-2014-4987
CONFIRM |
polarssl -- polarssl |
The
ssl_decrypt_buf function in
library/ssl_tls.c in PolarSSL before 1.2.11
and 1.3.x before 1.3.8 allows remote
attackers to cause a denial of service
(crash) via vectors related to the GCM
ciphersuites, as demonstrated using the
Codenomicon Defensics toolkit. |
2014-07-22 |
5.0 |
CVE-2014-4911
DEBIAN |
redhat -- enterprise_mrg |
Cumin
(aka MRG Management Console), as used in Red
Hat Enterprise MRG 2.5, allows attackers
with certain database privileges to cause a
denial of service (inaccessible page) via a
non-ASCII character in the name of a link. |
2014-07-19 |
5.0 |
CVE-2012-2682
CONFIRM |
redhat --
jboss_enterprise_application_platform |
jmx-remoting.sar
in JBoss Remoting, as used in Red Hat JBoss
Enterprise Application Platform (JEAP)
5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat
JBoss Portal Platform 5.2.2, and Red Hat
JBoss SOA Platform 5.3.1, does not properly
implement the JSR 160 specification, which
allows remote attackers to execute arbitrary
code via unspecified vectors. |
2014-07-22 |
6.8 |
CVE-2014-3518 |
reviewboard -- review_board |
Cross-site
scripting (XSS) vulnerability in Review
Board 1.7.x before 1.7.27 and 2.0.x before
2.0.4 allows remote attackers to inject
arbitrary web script or HTML via a query
parameter to a diff fragment page. |
2014-07-25 |
4.3 |
CVE-2014-5027
BID
MLIST
MLIST |
siemens -- simatic_pcs7 |
The
WebNavigator server in Siemens SIMATIC WinCC
before 7.3, as used in PCS7 and other
products, allows remote attackers to obtain
sensitive information via an HTTP request. |
2014-07-24 |
5.0 |
CVE-2014-4682 |
siemens -- simatic_pcs7 |
The
WebNavigator server in Siemens SIMATIC WinCC
before 7.3, as used in PCS7 and other
products, allows remote authenticated users
to gain privileges via a (1) HTTP or (2)
HTTPS request. |
2014-07-24 |
4.9 |
CVE-2014-4683 |
siemens -- simatic_pcs7 |
The
database server in Siemens SIMATIC WinCC
before 7.3, as used in PCS7 and other
products, allows remote authenticated users
to gain privileges via a request to TCP port
1433. |
2014-07-24 |
6.0 |
CVE-2014-4684 |
siemens -- simatic_pcs7 |
Siemens
SIMATIC WinCC before 7.3, as used in PCS7
and other products, allows local users to
gain privileges by leveraging weak
system-object access control. |
2014-07-24 |
4.6 |
CVE-2014-4685 |
siemens -- simatic_pcs7 |
The
Project administration application in
Siemens SIMATIC WinCC before 7.3, as used in
PCS7 and other products, has a hardcoded
encryption key, which allows remote
attackers to obtain sensitive information by
extracting this key from another product
installation and then employing this key
during the sniffing of network traffic on
TCP port 1030. |
2014-07-24 |
6.8 |
CVE-2014-4686 |
sophos -- anti-virus |
Multiple
cross-site scripting (XSS) vulnerabilities
in the web UI in Sophos Anti-Virus for Linux
before 9.6.1 allow local users to inject
arbitrary web script or HTML via the (1)
newListList:ExcludeFileOnExpression, (2)
newListList:ExcludeFilesystems, or (3)
newListList:ExcludeMountPaths parameter to
exclusion/configure or (4) text:EmailServer
or (5) newListList:Email parameter to
notification/configure. |
2014-07-22 |
4.3 |
CVE-2014-2385
MISC
SECTRACK
FULLDISC |
tenable -- nessus |
The
/server/properties resource in Tenable Web
UI before 2.3.5 for Nessus 5.2.3 through
5.2.7 allows remote attackers to obtain
sensitive information via the token
parameter. |
2014-07-23 |
5.0 |
CVE-2014-4980
SECTRACK
BID
BUGTRAQ
OSVDB
MISC
MISC |
ubnt -- unifi_video |
The
default Flash cross-domain policy
(crossdomain.xml) in Ubiquiti Networks UniFi
Video (formerly AirVision aka AirVision
Controller) before 3.0.1 does not restrict
access to the application, which allows
remote attackers to bypass the Same Origin
Policy via a crafted SWF file. |
2014-07-25 |
6.0 |
CVE-2014-2227
BID
MISC
FULLDISC |
webmin -- usermin |
Cross-site
scripting (XSS) vulnerability in Usermin
before 1.600 allows remote attackers to
inject arbitrary web script or HTML via
unspecified vectors. NOTE: this might
overlap CVE-2014-3924. |
2014-07-20 |
4.3 |
CVE-2014-3884 |
webmin -- webmin |
Cross-site
scripting (XSS) vulnerability in Webmin
before 1.690 allows remote authenticated
users to inject arbitrary web script or HTML
via unspecified vectors. NOTE: this might
overlap CVE-2014-3924. |
2014-07-20 |
4.3 |
CVE-2014-3885 |
x -- xf86-video-intel |
Directory
traversal vulnerability in
tools/backlight_helper.c in X.Org
xf86-video-intel 2.99.911 allows remote
attackers to create or overwrite arbitrary
files via a .. (dot dot) in the interface
name. |
2014-07-24 |
4.6 |
CVE-2014-4910
XF
MLIST
MLIST
OSVDB
MLIST |