Weekly Vulnerabilities Reports > February 24 to March 2, 2014

Overview

129 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 22 high severity vulnerabilities. This weekly summary report vulnerabilities in 102 products from 52 vendors including Apple, Cisco, Google, IBM, and Redhat. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Improper Input Validation", "Permissions, Privileges, and Access Controls", and "Information Exposure".

  • 108 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 33 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 105 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 25 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-03-02 CVE-2014-0862 IBM Unspecified vulnerability in IBM Rational Collaborative Lifecycle Management

Unspecified vulnerability in Jazz Team Server in IBM Rational Collaborative Lifecycle Management (CLM) 3.x before 3.0.1.6 iFix 2 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code via unknown vectors.

10.0
2014-02-27 CVE-2014-2075 Tibco Improper Authentication vulnerability in Tibco products

TIBCO Enterprise Administrator 1.0.0 and Enterprise Administrator SDK 1.0.0 do not properly enforce administrative authentication requirements, which allows remote attackers to execute arbitrary commands via unspecified vectors.

10.0
2014-02-26 CVE-2013-3712 Suse Cryptographic Issues vulnerability in Suse Studio Extension for System Z and Studio Onsite

SUSE Studio Onsite 1.3.x before 1.3.6 and SUSE Studio Extension for System z 1.3 uses "static" secret tokens, which has unspecified impact and vectors.

10.0
2014-02-26 CVE-2013-4841 HP Remote Code Execution vulnerability in HP products

Unspecified vulnerability in dbd_manager in LeftHand OS before 11.0 in HP StoreVirtual 4000 and StoreVirtual VSA Software (formerly LeftHand Virtual SAN Appliance) allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1509.

10.0
2014-03-01 CVE-2014-2262 SAS Buffer Errors vulnerability in SAS Base SAS 9.2/9.3/9.4

Buffer overflow in the client application in Base SAS 9.2 TS2M3, SAS 9.3 TS1M1 and TS1M2, and SAS 9.4 TS1M0 allows user-assisted remote attackers to execute arbitrary code via a crafted SAS program.

9.3
2014-02-27 CVE-2014-1251 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted clef atom in a movie file.

9.3
2014-02-27 CVE-2014-1250 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Apple QuickTime before 7.7.5 does not properly perform a byte-swapping operation, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted ttfo element in a movie file.

9.3
2014-02-27 CVE-2014-1249 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PSD image.

9.3
2014-02-27 CVE-2014-1248 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ldat atom in a movie file.

9.3
2014-02-27 CVE-2014-1247 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted dref atom in a movie file.

9.3
2014-02-27 CVE-2014-1246 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ftab atom in a movie file.

9.3
2014-02-27 CVE-2014-1245 Apple Numeric Errors vulnerability in Apple Quicktime

Integer signedness error in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted stsz atom in a movie file.

9.3
2014-02-27 CVE-2014-1244 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with H.264 encoding.

9.3
2014-02-27 CVE-2014-1243 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Apple QuickTime before 7.7.5 does not initialize an unspecified pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted track list in a movie file.

9.3
2014-02-24 CVE-2014-0758 Iconics Improper Input Validation vulnerability in Iconics Genesis32

An ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, 8.04, and 8.05 allows remote attackers to execute arbitrary programs via a crafted HTML document.

9.3
2014-02-24 CVE-2013-2817 Mitsubishielectric Code Injection vulnerability in Mitsubishielectric Mc-Worx Suite 8.02

An ActiveX control in IcoLaunch.dll in Mitsubishi Electric Automation MC-WorX Suite 8.02 allows user-assisted remote attackers to execute arbitrary programs via a crafted HTML document in conjunction with a Login Client button click.

9.3
2014-02-27 CVE-2014-0679 Cisco Improper Input Validation vulnerability in Cisco Prime Infrastructure

Cisco Prime Infrastructure 1.2 and 1.3 before 1.3.0.20-2, 1.4 before 1.4.0.45-2, and 2.0 before 2.0.0.0.294-2 allows remote authenticated users to execute arbitrary commands with root privileges via an unspecified URL, aka Bug ID CSCum71308.

9.0

22 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-03-02 CVE-2014-2033 Bluecoat Permissions, Privileges, and Access Controls vulnerability in Bluecoat Proxysgos

The caching feature in SGOS in Blue Coat ProxySG 5.5 through 5.5.11.3, 6.1 through 6.1.6.3, 6.2 through 6.2.15.3, 6.4 through 6.4.6.1, and 6.3 and 6.5 before 6.5.4 allows remote authenticated users to bypass intended access restrictions during a time window after account deletion or modification by leveraging knowledge of previously valid credentials.

7.9
2014-03-02 CVE-2014-2264 Synology Information Exposure vulnerability in Synology Diskstation Manager 4.33810

The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session.

7.8
2014-02-26 CVE-2013-2824 Schneider Electric Unspecified vulnerability in Schneider-Electric products

Schneider Electric StruxureWare SCADA Expert Vijeo Citect 7.40, Vijeo Citect 7.20 through 7.30SP1, CitectSCADA 7.20 through 7.30SP1, StruxureWare PowerSCADA Expert 7.30 through 7.30SR1, and PowerLogic SCADA 7.20 through 7.20SR1 do not properly handle exceptions, which allows remote attackers to cause a denial of service via a crafted packet.

7.8
2014-02-24 CVE-2014-1966 Siemens Resource Management Errors vulnerability in Siemens Ruggedcom Rugged Operating System

The SNMP implementation in Siemens RuggedCom ROS before 3.11, ROS 3.11 for RS950G, ROS 3.12 before 3.12.4, and ROS 4.0 for RSG2488 allows remote attackers to cause a denial of service (device outage) via crafted packets.

7.8
2014-03-01 CVE-2014-1912 Python
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.

7.5
2014-03-01 CVE-2013-2498 Simplehrm SQL Injection vulnerability in Simplehrm 2.2/2.3

SQL injection vulnerability in the login page in flexycms/modules/user/user_manager.php in SimpleHRM 2.3, 2.2, and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter to index.php/user/setLogin.

7.5
2014-02-27 CVE-2014-1854 Adrotateplugin SQL Injection vulnerability in Adrotateplugin Adrotate

SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.

7.5
2014-02-27 CVE-2014-1597 I Doit SQL Injection vulnerability in I-Doit

SQL injection vulnerability in the CMDB web application in synetics i-doit pro before 1.2.5 and i-doit open allows remote attackers to execute arbitrary SQL commands via the objID parameter to the default URI.

7.5
2014-02-27 CVE-2014-1262 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages that trigger memory corruption.

7.5
2014-02-27 CVE-2014-1261 Apple Numeric Errors vulnerability in Apple mac OS X

Integer signedness error in CoreText in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Unicode font.

7.5
2014-02-27 CVE-2014-1256 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Buffer overflow in Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages.

7.5
2014-02-27 CVE-2014-1255 Apple Improper Input Validation vulnerability in Apple mac OS X

Apple Type Services (ATS) in Apple OS X before 10.9.2 does not properly validate calls to the free function, which allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages.

7.5
2014-02-26 CVE-2013-6204 HP Remote Code Execution vulnerability in HP Application Information Optimizer

The Web Console in HP Application Information Optimizer (formerly HP Database Archiving) 6.2, 6.3, 6.4, 7.0, and 7.1 allows remote attackers to execute arbitrary code or obtain sensitive information via unspecified vectors, aka ZDI-CAN-2004.

7.5
2014-02-26 CVE-2013-6203 HP Remote Code Execution vulnerability in HP Application Information Optimizer

The Web Console in HP Application Information Optimizer (formerly HP Database Archiving) 6.2, 6.3, 6.4, 7.0, and 7.1 allows remote attackers to execute arbitrary code or obtain sensitive information via unspecified vectors, aka ZDI-CAN-1656.

7.5
2014-02-24 CVE-2013-6661 Google Unspecified vulnerability in Google Chrome

Multiple unspecified vulnerabilities in Google Chrome before 33.0.1750.117 allow attackers to bypass the sandbox protection mechanism after obtaining renderer access, or have other impact, via unknown vectors.

7.5
2014-02-24 CVE-2013-6658 Google Resource Management Errors vulnerability in Google Chrome

Multiple use-after-free vulnerabilities in the layout implementation in Blink, as used in Google Chrome before 33.0.1750.117, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving (1) running JavaScript code during execution of the updateWidgetPositions function or (2) making a call into a plugin during execution of the updateWidgetPositions function.

7.5
2014-02-24 CVE-2013-6655 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in Blink, as used in Google Chrome before 33.0.1750.117, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to improper handling of overflowchanged DOM events during interaction between JavaScript and layout.

7.5
2014-02-24 CVE-2013-6654 Google Improper Input Validation vulnerability in Google Chrome

The SVGAnimateElement::calculateAnimatedValue function in core/svg/SVGAnimateElement.cpp in Blink, as used in Google Chrome before 33.0.1750.117, does not properly handle unexpected data types, which allows remote attackers to cause a denial of service (incorrect cast) or possibly have unspecified other impact via unknown vectors.

7.5
2014-02-24 CVE-2013-6653 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in the web contents implementation in Google Chrome before 33.0.1750.117 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving attempted conflicting access to the color chooser.

7.5
2014-02-24 CVE-2013-6652 Google
Microsoft
Path Traversal vulnerability in Google Chrome

Directory traversal vulnerability in sandbox/win/src/named_pipe_dispatcher.cc in Google Chrome before 33.0.1750.117 on Windows allows attackers to bypass intended named-pipe policy restrictions in the sandbox via vectors related to (1) lack of checks for ..

7.5
2014-02-28 CVE-2014-0069 Linux
Suse
Redhat
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.

7.2
2014-02-27 CVE-2014-0816 Norman Permissions, Privileges, and Access Controls vulnerability in Norman Security Suite 10.0/10.1/8.0

Unspecified vulnerability in Norman Security Suite 10.1 and earlier allows local users to gain privileges via unknown vectors.

7.2

73 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-02-28 CVE-2014-0774 Schneider Electric Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Schneider-Electric products

Stack-based buffer overflow in the C++ sample client in Schneider Electric OPC Factory Server (OFS) TLXCDSUOFS33 - 3.35, TLXCDSTOFS33 - 3.35, TLXCDLUOFS33 - 3.35, TLXCDLTOFS33 - 3.35, and TLXCDLFOFS33 - 3.35 allows local users to gain privileges via vectors involving a malformed configuration file.

6.9
2014-02-28 CVE-2014-0759 Schneider Electric Unspecified vulnerability in Schneider-Electric Floating License Manager 1.0.0/1.4.0

Unquoted Windows search path vulnerability in Schneider Electric Floating License Manager 1.0.0 through 1.4.0 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

6.9
2014-03-02 CVE-2014-2089 Ilias Code Injection vulnerability in Ilias 4.4.1

ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.

6.8
2014-03-02 CVE-2014-2099 Ffmpeg Numeric Errors vulnerability in Ffmpeg

The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.1.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data.

6.8
2014-03-02 CVE-2014-2098 Ffmpeg Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ffmpeg

libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data.

6.8
2014-03-02 CVE-2014-2097 Ffmpeg Improper Input Validation vulnerability in Ffmpeg

The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.1.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data.

6.8
2014-03-01 CVE-2014-2263 Ffmpeg Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ffmpeg

The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write.

6.8
2014-02-27 CVE-2014-2103 Cisco Improper Input Validation vulnerability in Cisco Intrusion Prevention System

Cisco Intrusion Prevention System (IPS) Software allows remote attackers to cause a denial of service (MainApp process outage) via malformed SNMP packets, aka Bug IDs CSCum52355 and CSCul49309.

6.8
2014-02-27 CVE-2014-1270 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple products

WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1269.

6.8
2014-02-27 CVE-2014-1269 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple products

WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1270.

6.8
2014-02-27 CVE-2014-1268 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple products

WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1269 and CVE-2014-1270.

6.8
2014-02-27 CVE-2014-1260 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

QuickLook in Apple OS X through 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document.

6.8
2014-02-27 CVE-2014-1259 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Buffer overflow in File Bookmark in Apple OS X before 10.9.2 allows attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted filename.

6.8
2014-02-27 CVE-2014-1258 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

Heap-based buffer overflow in CoreAnimation in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted image.

6.8
2014-02-27 CVE-2014-1254 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

Apple Type Services (ATS) in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Type 1 font that is embedded in a document.

6.8
2014-02-27 CVE-2014-0747 Cisco Improper Input Validation vulnerability in Cisco Unified Communications Manager

The Certificate Authority Proxy Function (CAPF) CLI implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to inject commands via unspecified CAPF programs, aka Bug ID CSCum95493.

6.8
2014-02-27 CVE-2014-0745 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Contact Center Express Editor Software

Cross-site request forgery (CSRF) vulnerability in the Unified Serviceability subsystem in Cisco Unified Contact Center Express (Unified CCX) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCum95502.

6.8
2014-02-27 CVE-2014-0740 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Communications Manager

Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) interface in the OS Administration component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of administrators for requests that make administrative changes, aka Bug ID CSCun00701.

6.8
2014-02-26 CVE-2011-4111 Redhat
Qemu
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message.

6.8
2014-02-24 CVE-2013-6202 HP Cross-Site Request Forgery (CSRF) vulnerability in HP Service Manager

Multiple cross-site request forgery (CSRF) vulnerabilities in HP Service Manager 9.30, 9.31, 9.32, and 9.33 allow remote attackers to hijack the authentication of unspecified victims for requests that (1) insert XSS sequences or (2) execute arbitrary code.

6.8
2014-03-02 CVE-2014-2088 Ilias Unspecified vulnerability in Ilias 4.4.1

Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain client_id pathname.

6.5
2014-03-01 CVE-2014-2059 Jenkins Path Traversal vulnerability in Jenkins

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

6.5
2014-02-27 CVE-2014-0821 Cybozu SQL Injection vulnerability in Cybozu Garoon

SQL injection vulnerability in the download feature in Cybozu Garoon 2.x through 2.5.4 and 3.x through 3.7 SP3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6930 and CVE-2013-6931.

6.5
2014-02-24 CVE-2013-6659 Google Cryptographic Issues vulnerability in Google Chrome

The SSLClientSocketNSS::Core::OwnAuthCertHandler function in net/socket/ssl_client_socket_nss.cc in Google Chrome before 33.0.1750.117 does not prevent changes to server X.509 certificates during renegotiations, which allows remote SSL servers to trigger use of a new certificate chain, inconsistent with the user's expectations, by initiating a TLS renegotiation.

6.4
2014-02-24 CVE-2013-6657 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 33.0.1750.117, inserts the about:blank URL during certain blocking of FORM elements within HTTP requests, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via unspecified vectors.

6.4
2014-02-26 CVE-2014-2205 Mcafee Permissions, Privileges, and Access Controls vulnerability in Mcafee Epolicy Orchestrator

The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importing a crafted XML file, related to an XML External Entity (XXE) issue.

6.3
2014-02-27 CVE-2014-0742 Cisco Improper Input Validation vulnerability in Cisco Unified Communications Manager

The Certificate Authority Proxy Function (CAPF) CLI implementation in the CSR management feature in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to read or modify arbitrary files via unspecified vectors, aka Bug ID CSCum95464.

6.2
2014-02-27 CVE-2014-0741 Cisco Cryptographic Issues vulnerability in Cisco Unified Communications Manager

The certificate-import feature in the Certificate Authority Proxy Function (CAPF) CLI implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to read or modify arbitrary files via a crafted command, aka Bug ID CSCum95461.

6.2
2014-03-02 CVE-2014-2243 Mediawiki Race Condition vulnerability in Mediawiki

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.

5.8
2014-02-27 CVE-2014-1967 7Andi FS CO Cryptographic Issues vulnerability in 7Andi-Fs.Co Denny'S 1.0.1/1.0.2/2.0.0

The Denny's application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.8
2014-02-26 CVE-2011-2941 Redhat Improper Input Validation vulnerability in Redhat Jboss Enterprise Portal Platform

Open redirect vulnerability in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the initialURI parameter.

5.8
2014-02-26 CVE-2013-4286 Apache Improper Input Validation vulnerability in Apache Tomcat

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.

5.8
2014-02-28 CVE-2014-1878 Icinga
Nagios
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.

5.0
2014-02-27 CVE-2014-0333 Libpng Numeric Errors vulnerability in Libpng

The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.

5.0
2014-02-27 CVE-2014-0743 Cisco Improper Authentication vulnerability in Cisco Unified Communications Manager

The Certificate Authority Proxy Function (CAPF) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and modify registered-device information via crafted data, aka Bug ID CSCum95468.

5.0
2014-02-26 CVE-2013-7332 Microsoft Resource Management Errors vulnerability in Microsoft Windows 8 and Windows 8.1

The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

5.0
2014-02-26 CVE-2014-0842 IBM Credentials Management vulnerability in IBM Rational Focal Point

The account-creation functionality in IBM Rational Focal Point 6.4.x and 6.5.x before 6.5.2.3 and 6.6.x before 6.6.1 places the new user's default password within the creation page, which allows remote attackers to obtain sensitive information by reading the HTML source code.

5.0
2014-02-24 CVE-2013-6660 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

The drag-and-drop implementation in Google Chrome before 33.0.1750.117 does not properly restrict the information in WebDropData data structures, which allows remote attackers to discover full pathnames via a crafted web site.

5.0
2014-02-24 CVE-2013-6656 Google Information Exposure vulnerability in Google Chrome

The XSSAuditor::init function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 33.0.1750.117, processes POST requests by using the body of a redirecting page instead of the body of a redirect target, which allows remote attackers to obtain sensitive information via unspecified vectors.

5.0
2014-02-28 CVE-2014-2039 Linux Improper Input Validation vulnerability in Linux Kernel

arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction.

4.9
2014-02-28 CVE-2014-1874 Linux
Suse
Canonical
Improper Input Validation vulnerability in multiple products

The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.

4.9
2014-02-27 CVE-2014-0817 Cybozu Permissions, Privileges, and Access Controls vulnerability in Cybozu Garoon

Cybozu Garoon 2.x through 2.5.4 and 3.x through 3.7 SP3 does not properly manage sessions, which allows remote authenticated users to impersonate arbitrary users via unspecified vectors.

4.9
2014-02-27 CVE-2014-1265 Apple Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server

The systemsetup program in the Date and Time subsystem in Apple OS X before 10.9.2 allows local users to bypass intended access restrictions by changing the current time on the system clock.

4.6
2014-02-26 CVE-2014-2096 Catfish Project Local Privilege Escalation vulnerability in Catfish

Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0 allows local users to gain privileges via a Trojan horse bin/catfish.py under the current working directory.

4.6
2014-02-26 CVE-2014-2095 Catfish Project Local Privilege Escalation vulnerability in Catfish

Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0, when a Fedora package such as 0.8.2-1 is not used, allows local users to gain privileges via a Trojan horse bin/catfish.pyc under the current working directory.

4.6
2014-02-26 CVE-2014-2094 Catfish Project Local Privilege Escalation vulnerability in Catfish

Untrusted search path vulnerability in Catfish through 0.4.0.3, when a Fedora package such as 0.4.0.2-2 is not used, allows local users to gain privileges via a Trojan horse catfish.pyc in the current working directory.

4.6
2014-02-26 CVE-2014-2093 Catfish Project Unspecified vulnerability in Catfish Project Catfish

Untrusted search path vulnerability in Catfish through 0.4.0.3 allows local users to gain privileges via a Trojan horse catfish.py in the current working directory.

4.6
2014-03-02 CVE-2014-2092 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 1.11.10

Cross-site scripting (XSS) vulnerability in lib/filemanager/ImageManager/editorFrame.php in CMS Made Simple 1.11.10 allows remote attackers to inject arbitrary web script or HTML via the action parameter, a different issue than CVE-2014-0334.

4.3
2014-03-02 CVE-2014-2244 Mediawiki Cross-Site Scripting vulnerability in Mediawiki

Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php.

4.3
2014-03-02 CVE-2014-2242 Mediawiki Cross-Site Scripting vulnerability in Mediawiki

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.

4.3
2014-03-02 CVE-2014-2104 Cisco Cross-Site Scripting vulnerability in Cisco Unified Communications Domain Manager 9.0(.1)

Multiple cross-site scripting (XSS) vulnerabilities in the Business Voice Services Manager (BVSM) page in Cisco Unified Communications Domain Manager 9.0(.1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCum78536, CSCum78526, CSCum69809, and CSCum63113.

4.3
2014-03-02 CVE-2013-4054 IBM Path Traversal vulnerability in IBM Websphere MQ 7.5/7.5.0.1/7.5.0.2

Directory traversal vulnerability in WMQ Telemetry in IBM WebSphere MQ 7.5 before 7.5.0.3 allows remote attackers to read arbitrary files via a crafted URI.

4.3
2014-03-01 CVE-2014-2080 Modx Cross-Site Scripting vulnerability in Modx Revolution

Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in ModX Revolution before 2.2.11 allows remote attackers to inject arbitrary web script or HTML via the "a" parameter.

4.3
2014-03-01 CVE-2014-1888 Buddypress
Wordpress
Cross-Site Scripting vulnerability in Buddypress

Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details.

4.3
2014-03-01 CVE-2014-1695 Otrs Cross-Site Scripting vulnerability in Otrs

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.

4.3
2014-03-01 CVE-2014-1456 Openwebanalytics Cross-Site Scripting vulnerability in Openwebanalytics Open web Analytics

Cross-site scripting (XSS) vulnerability in the login page in Open Web Analytics (OWA) before 1.5.6 allows remote attackers to inject arbitrary web script or HTML via the owa_user_id parameter to index.php.

4.3
2014-02-27 CVE-2014-2231 I Doit Cross-Site Scripting vulnerability in I-Doit

Cross-site scripting (XSS) vulnerability in the API in synetics i-doit pro before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via a property title.

4.3
2014-02-27 CVE-2014-2035 Interworx Cross-Site Scripting vulnerability in Interworx web Control Panel

Cross-site scripting (XSS) vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.13 build 574 allows remote attackers to inject arbitrary web script or HTML via the i parameter.

4.3
2014-02-27 CVE-2014-1223 Telligent Cross-Site Scripting vulnerability in Telligent Evolution

Cross-site scripting (XSS) vulnerability in controlpanel/loading.aspx in Telligent Evolution before 6.1.19.36103, 7.x before 7.1.12.36162, 7.5.x, and 7.6.x before 7.6.7.36651 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

4.3
2014-02-27 CVE-2014-1968 Riken Cross-Site Scripting vulnerability in Riken Xoonips

Cross-site scripting (XSS) vulnerability in the XooNIps module 3.47 and earlier for XOOPS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-02-27 CVE-2014-1263 Apple Cryptographic Issues vulnerability in Apple mac OS X

curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

4.3
2014-02-26 CVE-2012-2134 Martin Nagy Resource Management Errors vulnerability in Martin Nagy Bind-Dyndb-Ldap

The handle_connection_error function in ldap_helper.c in bind-dyndb-ldap before 1.1.0rc1 does not properly handle LDAP query errors, which allows remote attackers to cause a denial of service (infinite loop and named server hang) via a non-alphabet character in the base DN in an LDAP search DNS query.

4.3
2014-02-26 CVE-2011-4580 Redhat Cross-Site Scripting vulnerability in Redhat Jboss Enterprise Portal Platform

Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-02-26 CVE-2014-0033 Apache Improper Input Validation vulnerability in Apache Tomcat

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

4.3
2014-02-26 CVE-2013-7331 Microsoft Information Exposure vulnerability in Microsoft Internet Explorer

The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.

4.3
2014-02-26 CVE-2013-4590 Apache
Debian
Oracle
Information Exposure vulnerability in multiple products

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

4.3
2014-02-26 CVE-2013-4322 Apache Improper Input Validation vulnerability in Apache Tomcat

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.

4.3
2014-02-25 CVE-2013-6047 Ikiwiki Hosting Project Cross-Site Scripting vulnerability in Ikiwiki Hosting Project Ikiwiki Hosting

Multiple cross-site scripting (XSS) vulnerabilities in the site creation interface in ikiwiki-hosting before 0.20131025 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-02-27 CVE-2014-2102 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Unified Contact Center Express Editor Software

Cisco Unified Contact Center Express (Unified CCX) does not properly restrict the content of the CCMConfig page, which allows remote authenticated users to obtain sensitive information by examining this content, aka Bug ID CSCum95575.

4.0
2014-02-27 CVE-2014-0820 Cybozu Path Traversal vulnerability in Cybozu Garoon

Directory traversal vulnerability in the download feature in Cybozu Garoon 2.x through 2.5.4 and 3.x through 3.7 SP3 allows remote authenticated users to read arbitrary files via unspecified vectors.

4.0
2014-02-27 CVE-2014-0746 Cisco Information Exposure vulnerability in Cisco Unified Contact Center Express Editor Software

The disaster recovery system (DRS) in Cisco Unified Contact Center Express (Unified CCX) allows remote authenticated users to obtain sensitive information by reading extraneous fields in an HTML document, aka Bug ID CSCum95536.

4.0
2014-02-26 CVE-2013-6731 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Netezza Performance Portal 2.0/2.0.0.1/2.0.0.2

IBM Netezza Performance Portal 2.x before 2.0.0.3 allows remote authenticated users to change arbitrary passwords via an HTTP POST request.

4.0
2014-02-26 CVE-2014-0839 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Rational Focal Point

IBM Rational Focal Point 6.4.x and 6.5.x before 6.5.2.3 and 6.6.x before 6.6.1 allows remote authenticated users to modify data via vectors involving a direct object reference.

4.0

17 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-02-27 CVE-2014-1257 Apple Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X

CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.

3.6
2014-03-02 CVE-2014-2091 Atutor Cross-Site Scripting vulnerability in Atutor 2.1.1

Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action.

3.5
2014-03-02 CVE-2014-2090 Ilias Cross-Site Scripting vulnerability in Ilias 4.4.1

Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter.

3.5
2014-03-02 CVE-2014-0334 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple

Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) the htmlblob parameter to admin/addhtmlblob.php, the (3) title or (4) url parameter to admin/addbookmark.php, (5) the stylesheet_name parameter to admin/copystylesheet.php, (6) the template_name parameter to admin/copytemplate.php, the (7) title or (8) url parameter to admin/editbookmark.php, (9) the template parameter to admin/listtemplates.php, or (10) the css_name parameter to admin/listcss.php, a different issue than CVE-2014-2092.

3.5
2014-03-01 CVE-2014-2067 Jenkins Cross-Site Scripting vulnerability in Jenkins

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

3.5
2014-02-28 CVE-2014-0874 IBM Cross-Site Scripting vulnerability in IBM Content Navigator 2.0.0/2.0.1/2.0.2

Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.x before 2.0.2.2-ICN-FP002 allows remote authenticated users to inject arbitrary web script or HTML via an unspecified parameter.

3.5
2014-02-27 CVE-2014-0858 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Content Navigator 2.0.0/2.0.1/2.0.2

IBM Content Navigator 2.x before 2.0.2.2-ICN-FP002 allows remote authenticated users to bypass intended access restrictions and conduct deleteAction attacks via a modified URL.

3.5
2014-02-26 CVE-2014-0853 IBM Cross-Site Scripting vulnerability in IBM Rational Focal Point

Multiple cross-site scripting (XSS) vulnerabilities in the (1) ForwardController and (2) AttributeEditor scripts in IBM Rational Focal Point 6.4.x and 6.5.x before 6.5.2.3 and 6.6.x before 6.6.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2014-02-26 CVE-2014-0843 IBM Cross-Site Scripting vulnerability in IBM Rational Focal Point

Cross-site scripting (XSS) vulnerability in IBM Rational Focal Point 6.4.x and 6.5.x before 6.5.2.3 and 6.6.x before 6.6.1 allows remote authenticated users to inject arbitrary web script or HTML by uploading a file.

3.5
2014-02-26 CVE-2014-0840 IBM Cross-Site Scripting vulnerability in IBM Rational Focal Point

Multiple cross-site scripting (XSS) vulnerabilities in IBM Rational Focal Point 6.4.x and 6.5.x before 6.5.2.3 and 6.6.x before 6.6.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2014-02-27 CVE-2014-1264 Apple Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X

Finder in Apple OS X before 10.9.2 does not ensure ACL integrity after the viewing of file ACL information, which allows local users to bypass intended access restrictions in opportunistic circumstances via standard filesystem operations on a file with a damaged ACL.

3.3
2014-02-26 CVE-2011-1749 Linux NFS Improper Input Validation vulnerability in Linux-Nfs Nfs-Utils

The nfs_addmntent function in support/nfs/nfs_mntent.c in the mount.nsf tool in nfs-utils before 1.2.4 attempts to append to the /etc/mtab file without first checking whether resource limits would interfere, which allows local users to corrupt this file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.

3.3
2014-03-01 CVE-2011-3634 Debian
Canonical
Information Exposure vulnerability in multiple products

methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.

2.6
2014-02-28 CVE-2014-1690 Linux
Canonical
Information Exposure vulnerability in multiple products

The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature.

2.6
2014-02-27 CVE-2014-0046 Emberjs Cross-Site Scripting vulnerability in Emberjs Ember.Js

Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.

2.6
2014-02-28 CVE-2014-2038 Linux
Canonical
Information Exposure vulnerability in multiple products

The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file.

2.1
2014-02-26 CVE-2014-0058 Redhat Cryptographic Issues vulnerability in Redhat Jboss Enterprise Application Platform

The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by reading the log files.

1.9