Weekly Vulnerabilities Reports > April 14 to 20, 2014
Overview
217 new vulnerabilities reported during this period, including 21 critical vulnerabilities and 36 high severity vulnerabilities. This weekly summary report vulnerabilities in 145 products from 66 vendors including Oracle, Canonical, Debian, IBM, and Paperthin. Vulnerabilities are notably categorized as "Improper Input Validation", "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Improper Authentication", and "Path Traversal".
- 187 reported vulnerabilities are remotely exploitables.
- 9 reported vulnerabilities have public exploit available.
- 29 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 164 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 98 reported vulnerabilities.
- Oracle has the most reported critical vulnerabilities, with 9 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
21 Critical Vulnerabilities
36 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-04-19 | CVE-2013-6215 | HP | Remote Code Execution vulnerability in HP Universal Configuration Management Database 10.01/10.10 Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977. | 8.5 |
2014-04-16 | CVE-2014-2406 | Oracle | Remote Security vulnerability in Oracle Database Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to "Advisor" and "Select Any Dictionary" privileges. | 8.5 |
2014-04-17 | CVE-2014-2707 | Linuxfoundation | OS Command Injection vulnerability in Linuxfoundation Cups-Filters cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues." | 8.3 |
2014-04-15 | CVE-2014-0356 | Zyxel | OS Command Injection vulnerability in Zyxel products The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to execute arbitrary code via shell metacharacters in input to the (1) detectWeather, (2) set_language, (3) SystemCommand, or (4) NTPSyncWithHost function in management.c, or a (5) SET COUNTRY, (6) SET WLAN SSID, (7) SET WLAN CHANNEL, (8) SET WLAN STATUS, or (9) SET WLAN COUNTRY udps command. | 7.9 |
2014-04-15 | CVE-2014-0355 | Zyxel | Buffer Errors vulnerability in Zyxel products Multiple stack-based buffer overflows on the ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allow man-in-the-middle attackers to execute arbitrary code via (1) a long temp attribute in a yweather:condition element in a forecastrss file that is processed by the checkWeather function; the (2) WeatherCity or (3) WeatherDegree variable to the detectWeather function; unspecified input to the (4) UpnpAddRunRLQoS, (5) UpnpDeleteRunRLQoS, or (6) UpnpDeletePortCheckType function; or (7) the SET COUNTRY udps command. | 7.9 |
2014-04-19 | CVE-2014-1983 | Cybozu | Denial of Service vulnerability in Cybozu Remote Service Manager Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors. | 7.8 |
2014-04-17 | CVE-2014-0644 | EMC | Information Exposure vulnerability in EMC products EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file. | 7.8 |
2014-04-15 | CVE-2014-2842 | Juniper | Resource Management Errors vulnerability in Juniper Screenos Juniper ScreenOS 6.3 and earlier allows remote attackers to cause a denial of service (crash and restart or failover) via a malformed SSL/TLS packet. | 7.8 |
2014-04-15 | CVE-2014-2828 | Openstack | Improper Authentication vulnerability in Openstack Keystone The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." | 7.8 |
2014-04-15 | CVE-2014-0358 | Xangati | Path Traversal vulnerability in Xangati Software Release and Xangati XNR Multiple directory traversal vulnerabilities in Xangati XSR before 11 and XNR before 7 allow remote attackers to read arbitrary files via a .. | 7.8 |
2014-04-15 | CVE-2014-0354 | Zyxel | Credentials Management vulnerability in Zyxel products The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 has a hardcoded password of qweasdzxc for an unspecified account, which allows remote attackers to obtain index.asp login access via an HTTP request. | 7.8 |
2014-04-16 | CVE-2014-2428 | Oracle IBM | Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. | 7.6 |
2014-04-16 | CVE-2014-0448 | Oracle IBM | Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. | 7.6 |
2014-04-18 | CVE-2014-2286 | Digium Fedoraproject | Improper Input Validation vulnerability in multiple products main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers. | 7.5 |
2014-04-18 | CVE-2013-7369 | F Secure | SQL Injection vulnerability in F-Secure products SQL injection vulnerability in an unspecified DLL in the FSDBCom ActiveX control in F-Secure Anti-Virus for Microsoft Exchange Server before HF02, Anti-Virus for Windows Servers 9.00 before HF09, Anti-Virus for Citrix Servers 9.00 before HF09, and F-Secure Email and Server Security and F-Secure Server Security 9.20 before HF01 allows remote attackers to execute arbitrary SQL commands via unknown vectors, related to GetCommand. | 7.5 |
2014-04-16 | CVE-2013-4694 | Nullsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nullsoft Winamp Stack-based buffer overflow in gen_jumpex.dll in Winamp before 5.64 Build 3418 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a package with a long Skin directory name. | 7.5 |
2014-04-16 | CVE-2011-4195 | Suse | Unspecified vulnerability in Suse Kiwi, Studio Extension for System Z and Studio Onsite kiwi before 4.98.05, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in an image name. | 7.5 |
2014-04-16 | CVE-2011-4192 | Suse | Unspecified vulnerability in Suse Kiwi, Studio Extension for System Z and Studio Onsite kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile." Per: https://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')" | 7.5 |
2014-04-16 | CVE-2011-3180 | Suse | Unspecified vulnerability in Suse Kiwi, Studio Extension for System Z and Studio Onsite kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown. | 7.5 |
2014-04-16 | CVE-2014-2470 | Oracle | Remote Security vulnerability in Oracle WebLogic Server Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Security. | 7.5 |
2014-04-16 | CVE-2014-2427 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. | 7.5 |
2014-04-16 | CVE-2014-2423 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458. | 7.5 |
2014-04-16 | CVE-2014-2414 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXB. | 7.5 |
2014-04-16 | CVE-2014-2412 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-0451. | 7.5 |
2014-04-16 | CVE-2014-2402 | Canonical Oracle | Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-0455. | 7.5 |
2014-04-16 | CVE-2014-0458 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423. | 7.5 |
2014-04-16 | CVE-2014-0454 | Canonical Oracle IBM | Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. | 7.5 |
2014-04-16 | CVE-2014-0452 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423. | 7.5 |
2014-04-16 | CVE-2014-0451 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-2412. | 7.5 |
2014-04-16 | CVE-2014-0446 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. | 7.5 |
2014-04-15 | CVE-2014-2868 | Paperthin | Unspecified vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to modify the flow of execution of ColdFusion code by using an HTTP GET request to set a ColdFusion variable. | 7.5 |
2014-04-15 | CVE-2014-2865 | Paperthin | Permissions, Privileges, and Access Controls vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a '\0' character, as demonstrated by using this character within a pathname on the drive containing the web root directory of a ColdFusion installation. | 7.5 |
2014-04-15 | CVE-2014-2859 | Paperthin | Permissions, Privileges, and Access Controls vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a direct request. | 7.5 |
2014-04-15 | CVE-2014-0342 | Pivotx | Arbitrary File Upload vulnerability in PivotX 'fileupload.php' Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors. | 7.5 |
2014-04-14 | CVE-2014-2714 | Juniper | Improper Input Validation vulnerability in Juniper Junos The Enhanced Web Filtering (EWF) in Juniper Junos before 10.4R15, 11.4 before 11.4R9, 12.1 before 12.1R7, 12.1X44 before 12.1X44-D20, 12.1X45 before 12.1X45-D10, and 12.1X46 before 12.1X46-D10, as used in the SRX Series services gateways, allows remote attackers to cause a denial of service (flow daemon crash and restart) via a crafted URL. | 7.1 |
2014-04-14 | CVE-2014-0614 | Juniper | Denial of Service vulnerability in Juniper Junos 13.2/13.3 Juniper Junos 13.2 before 13.2R3 and 13.3 before 13.3R1, when PIM is enabled, allows remote attackers to cause a denial of service (kernel panic and crash) via a large number of crafted IGMP packets. | 7.1 |
134 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-04-15 | CVE-2011-3628 | Canonical | Unspecified vulnerability in Canonical Libpam-Modules and Ubuntu Linux Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS, when using certain configurations such as "session optional pam_motd.so", allows local users to gain privileges by modifying the PATH environment variable to reference a malicious command, as demonstrated via uname. | 6.9 |
2014-04-19 | CVE-2014-1990 | Toshibatec | Cross-Site Request Forgery (CSRF) vulnerability in Toshibatec products Cross-site request forgery (CSRF) vulnerability in TopAccess (aka the web-based management utility) on TOSHIBA TEC e-Studio 232, 233, 282, and 283 devices allows remote attackers to hijack the authentication of administrators for requests that change passwords. | 6.8 |
2014-04-19 | CVE-2014-1984 | Cybozu | Improper Authentication vulnerability in Cybozu Remote Service Manager Session fixation vulnerability in the management screen in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to hijack web sessions via unspecified vectors. | 6.8 |
2014-04-17 | CVE-2014-0054 | Springsource Vmware | Cross-Site Request Forgery (CSRF) vulnerability in multiple products The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. | 6.8 |
2014-04-17 | CVE-2014-0036 | Amos Benari | Cryptographic Issues vulnerability in Amos Benari Rbovirt The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors. | 6.8 |
2014-04-16 | CVE-2014-2422 | Oracle | Unspecified vulnerability in Oracle Javafx, JDK and JRE Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2.51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 6.8 |
2014-04-16 | CVE-2014-2408 | Oracle | Remote Security vulnerability in Oracle Database Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to the "Grant Any Object Privilege." | 6.6 |
2014-04-19 | CVE-2013-6212 | HP | Information Disclosure vulnerability in HP Database and Middleware Automation Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors. | 6.5 |
2014-04-17 | CVE-2013-2143 | Redhat Theforeman | Improper Input Validation vulnerability in multiple products The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account. | 6.5 |
2014-04-16 | CVE-2014-2444 | Oracle | Remote Security vulnerability in Oracle MySQL Server Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to InnoDB. | 6.5 |
2014-04-16 | CVE-2014-2436 | Oracle Mariadb Redhat | Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR. | 6.5 |
2014-04-16 | CVE-2014-2411 | Oracle | Remote Security vulnerability in Oracle Identity Analytics Unspecified vulnerability in the Oracle Identity Analytics component in Oracle Fusion Middleware Oracle Identity Analytics 11.1.1.5 and Sun Role Manager 5.0 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Security. | 6.5 |
2014-04-15 | CVE-2014-2862 | Paperthin | Permissions, Privileges, and Access Controls vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check authorization in unspecified situations, which allows remote authenticated users to perform actions via unknown vectors. | 6.5 |
2014-04-19 | CVE-2014-1974 | Lyesoft | Path Traversal vulnerability in Lyesoft Andexplorer Directory traversal vulnerability in the LYSESOFT AndExplorer application before 20140403 and AndExplorerPro application before 20140405 for Android allows attackers to overwrite or create arbitrary files via unspecified vectors. | 6.4 |
2014-04-17 | CVE-2014-0071 | Redhat | Permissions, Privileges, and Access Controls vulnerability in Redhat Openstack 4.0 PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections. | 6.4 |
2014-04-16 | CVE-2014-2338 | Strongswan | Improper Authentication vulnerability in Strongswan IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set to established. | 6.4 |
2014-04-16 | CVE-2014-2439 | Oracle | Remote Security vulnerability in Oracle Secure Global Desktop (SGD) Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Workspace Web Application. | 6.4 |
2014-04-16 | CVE-2014-2409 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment. | 6.4 |
2014-04-15 | CVE-2014-0138 | Haxx Debian | Improper Authentication vulnerability in multiple products The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. | 6.4 |
2014-04-18 | CVE-2012-0871 | Systemd Project Opensuse | Link Following vulnerability in multiple products The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/. | 6.3 |
2014-04-16 | CVE-2011-0460 | KBD Project Opensuse | Link Following vulnerability in multiple products The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map. | 6.3 |
2014-04-15 | CVE-2014-0353 | Zyxel | Improper Authentication vulnerability in Zyxel products The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to bypass authentication by using %2F sequences in place of / (slash) characters. | 6.1 |
2014-04-16 | CVE-2014-2455 | Oracle | Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3 Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to User Interface. | 6.0 |
2014-04-15 | CVE-2010-2236 | Redhat | Improper Input Validation vulnerability in Redhat Network Proxy, Satellite and Spacewalk-Java The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, related to backticks. | 6.0 |
2014-04-15 | CVE-2014-0105 | Openstack | Credentials Management vulnerability in Openstack Python-Keystoneclient The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached." | 6.0 |
2014-04-17 | CVE-2014-2880 | Oracle | Improper Input Validation vulnerability in Oracle Identity Manager 11.1.2.1.0 Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin. | 5.8 |
2014-04-16 | CVE-2014-0460 | Oracle Canonical Juniper Debian | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via vectors related to JNDI. | 5.8 |
2014-04-15 | CVE-2014-1986 | Kokuyo | Permissions, Privileges, and Access Controls vulnerability in Kokuyo Camiapp 1.21.1 The Content Provider in the KOKUYO CamiApp application 1.21.1 and earlier for Android allows attackers to bypass intended access restrictions and read database information via a crafted application. | 5.8 |
2014-04-15 | CVE-2014-0139 | Haxx | Cryptographic Issues vulnerability in Haxx Curl and Libcurl cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. | 5.8 |
2014-04-18 | CVE-2013-7196 | Phpfox | Permissions, Privileges, and Access Controls vulnerability in PHPfox 3.7.3/3.7.4/3.7.5 static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authenticated users to bypass intended "Only Me" restrictions and comment on a private publication via a request with a modified val[item_id] parameter for the publication. | 5.5 |
2014-04-18 | CVE-2013-7195 | Phpfox | Permissions, Privileges, and Access Controls vulnerability in PHPfox 3.7.3/3.7.4 PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass intended "Only Me" restrictions and "like" a publication via a request that specifies the ID for the publication. | 5.5 |
2014-04-15 | CVE-2014-0642 | EMC | Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors. | 5.5 |
2014-04-16 | CVE-2014-2440 | Oracle Mariadb Redhat | Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 5.1 |
2014-04-19 | CVE-2014-2155 | Cisco | Improper Input Validation vulnerability in Cisco CNS Network Registrar 7.1 The DHCPv6 server module in Cisco CNS Network Registrar 7.1 allows remote attackers to cause a denial of service (daemon reload) via a malformed DHCPv6 packet, aka Bug ID CSCuo07437. | 5.0 |
2014-04-19 | CVE-2014-2733 | Siemens | Improper Input Validation vulnerability in Siemens Sinema Server 12.0 Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a denial of service (web-interface outage) via crafted HTTP requests to port (1) 4999 or (2) 80. | 5.0 |
2014-04-19 | CVE-2014-2732 | Siemens | Path Traversal vulnerability in Siemens Sinema Server 12.0 Multiple directory traversal vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80. | 5.0 |
2014-04-19 | CVE-2014-0778 | Progea | Information Exposure vulnerability in Progea Movicon 11.4 The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651. | 5.0 |
2014-04-17 | CVE-2014-2469 | Oracle | Remote Denial of Service vulnerability in Oracle Sunos 5.11.1 Unspecified vulnerability in lighttpd in Oracle Solaris 11.1 allows attackers to cause a denial of service via unknown vectors. | 5.0 |
2014-04-17 | CVE-2014-2310 | NET Snmp | Improper Input Validation vulnerability in Net-Snmp The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers to cause a denial of service (hang) by sending a multi-object request with an Object ID (OID) containing more subids than previous requests, a different vulnerability than CVE-2012-6151. | 5.0 |
2014-04-16 | CVE-2014-2461 | Oracle | Remote Security vulnerability in Oracle Transportation Management Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2, and 6.3.3 allows remote attackers to affect confidentiality via unknown vectors related to Security. | 5.0 |
2014-04-16 | CVE-2014-2448 | Oracle | Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53 Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Install and Packaging. | 5.0 |
2014-04-16 | CVE-2014-2447 | Oracle | Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53 Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Integration Broker, a different vulnerability than CVE-2014-2437. | 5.0 |
2014-04-16 | CVE-2014-2437 | Oracle | Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53 Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Integration Broker, a different vulnerability than CVE-2014-2447. | 5.0 |
2014-04-16 | CVE-2014-2433 | Oracle | Remote Security vulnerability in Oracle Peoplesoft products 8.53 Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote attackers to affect availability via unknown vectors related to Integration Broker. | 5.0 |
2014-04-16 | CVE-2014-2418 | Oracle | Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0 Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2415, CVE-2014-2416, and CVE-2014-2417. | 5.0 |
2014-04-16 | CVE-2014-2417 | Oracle | Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0 Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2415, CVE-2014-2416, and CVE-2014-2418. | 5.0 |
2014-04-16 | CVE-2014-2416 | Oracle | Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0 Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2415, CVE-2014-2417, and CVE-2014-2418. | 5.0 |
2014-04-16 | CVE-2014-2415 | Oracle | Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0 Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2416, CVE-2014-2417, and CVE-2014-2418. | 5.0 |
2014-04-16 | CVE-2014-2407 | Oracle | Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0 Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2415, CVE-2014-2416, CVE-2014-2417, and CVE-2014-2418. | 5.0 |
2014-04-16 | CVE-2014-2403 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via vectors related to JAXP. | 5.0 |
2014-04-16 | CVE-2014-2401 | Oracle IBM | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality via unknown vectors related to 2D. | 5.0 |
2014-04-16 | CVE-2014-0450 | Oracle | Information Disclosure vulnerability in Oracle Fusion Middleware 11.1.1.7.0/11.1.1.8.0 Unspecified vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect confidentiality via unknown vectors related to People Connection. | 5.0 |
2014-04-16 | CVE-2014-0449 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via unknown vectors related to Deployment. | 5.0 |
2014-04-16 | CVE-2014-0414 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5 Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via vectors related to HTTP Request Handling. | 5.0 |
2014-04-16 | CVE-2013-4768 | Eucalyptus | Improper Input Validation vulnerability in Eucalyptus The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB). | 5.0 |
2014-04-15 | CVE-2014-2858 | Gopivotal | Path Traversal vulnerability in Gopivotal Grails and Grails-Resources Directory traversal vulnerability in the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 allows remote attackers to obtain sensitive information via unspecified vectors related to a "configured block." NOTE: this issue was SPLIT from CVE-2014-0053 per ADT2 due to different vulnerability types. | 5.0 |
2014-04-15 | CVE-2014-2857 | Gopivotal | Permissions, Privileges, and Access Controls vulnerability in Gopivotal Grails and Grails-Resources The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 does not properly restrict access to files in the META-INF directory, which allows remote attackers to obtain sensitive information via a direct request. | 5.0 |
2014-04-15 | CVE-2014-0053 | Gopivotal | Permissions, Privileges, and Access Controls vulnerability in Gopivotal Grails and Grails-Resources The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. | 5.0 |
2014-04-15 | CVE-2014-2873 | Paperthin | Information Exposure vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not require authentication for access to log files, which allows remote attackers to obtain sensitive server information by using a predictable name in a request for a file. | 5.0 |
2014-04-15 | CVE-2014-2872 | Paperthin | Information Exposure vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain potentially sensitive information from a directory listing via unspecified vectors. | 5.0 |
2014-04-15 | CVE-2014-2871 | Paperthin | Information Exposure vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on an HTTP session for entering credentials on login pages, which allows remote attackers to obtain sensitive information by sniffing the network. | 5.0 |
2014-04-15 | CVE-2014-2870 | Paperthin | Credentials Management vulnerability in Paperthin Commonspot Content Server The default configuration of PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 uses cleartext for storage of credentials in a database, which makes it easier for context-dependent attackers to obtain sensitive information via unspecified vectors. | 5.0 |
2014-04-15 | CVE-2014-2869 | Paperthin | Information Exposure vulnerability in Paperthin Commonspot Content Server PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain sensitive information via requests to unspecified URIs, as demonstrated by pathname, SQL server, e-mail address, and IP address information. | 5.0 |
2014-04-15 | CVE-2014-0357 | Amtelco | Improper Authentication vulnerability in Amtelco Misecuremessages Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application. | 5.0 |
2014-04-15 | CVE-2013-5705 | Trustwave Debian | apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. | 5.0 |
2014-04-14 | CVE-2014-2852 | Openafs | Improper Input Validation vulnerability in Openafs OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckResponse fails, which allows remote attackers to cause a denial of service (performance degradation) via an invalid packet. | 5.0 |
2014-04-14 | CVE-2014-2713 | Juniper | Denial of Service vulnerability in Juniper Junos Juniper Junos before 11.4R11, 12.1 before 12.1R9, 12.2 before 12.2R7, 12.3R4 before 12.3R4-S3, 13.1 before 13.1R4, 13.2 before 13.2R2, and 13.3 before 13.3R1, as used in MX Series and T4000 routers, allows remote attackers to cause a denial of service (PFE restart) via a crafted IP packet to certain (1) Trio or (2) Cassis-based Packet Forwarding Engine (PFE) modules. | 5.0 |
2014-04-14 | CVE-2014-0612 | Juniper | Denial of Service vulnerability in Juniper Junos Branch SRX Series Unspecified vulnerability in Juniper Junos before 11.4R10-S1, before 11.4R11, 12.1X44 before 12.1X44-D26, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, and 12.1X46 before 12.1X46-D10, when Dynamic IPsec VPN is configured, allows remote attackers to cause a denial of service (new Dynamic VPN connection failures and CPU and disk consumption) via unknown vectors. | 5.0 |
2014-04-14 | CVE-2014-0159 | Openafs Debian | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Buffer overflow in the GetStatistics64 remote procedure call (RPC) in OpenAFS 1.4.8 before 1.6.7 allows remote attackers to cause a denial of service (crash) via a crafted statsVersion argument. | 5.0 |
2014-04-14 | CVE-2014-0128 | Squid Cache Opensuse | Improper Input Validation vulnerability in multiple products Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management. | 5.0 |
2014-04-18 | CVE-2014-2597 | Remote RAC | Improper Input Validation vulnerability in Remote-Rac RAC Server 4.0.4/4.0.5 PCNetSoftware RAC Server 4.0.4 and 4.0.5 allows local users to cause a denial of service (disabled keyboard or crash) via a large input buffer to unspecified IOCTL requests in RACDriver.sys, which triggers a buffer over-read. | 4.9 |
2014-04-18 | CVE-2014-0150 | Qemu Redhat | Numeric Errors vulnerability in multiple products Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow. | 4.9 |
2014-04-16 | CVE-2014-2426 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware 8.0 Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity and availability via unknown vectors related to Admin Console. | 4.9 |
2014-04-16 | CVE-2014-0447 | Oracle SUN | Local Security vulnerability in Oracle Solaris Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via unknown vectors related to Kernel, a different vulnerability than CVE-2013-5876. | 4.9 |
2014-04-15 | CVE-2014-2384 | Vmware | Resource Management Errors vulnerability in VMWare Player and Workstation vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player 6.0.1 build 1379776 on Windows might allow local users to cause a denial of service (read access violation and system crash) via a crafted buffer in an IOCTL call. | 4.9 |
2014-04-17 | CVE-2014-0645 | EMC | Credentials Management vulnerability in EMC products EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Management Appliance (FMA) 7.x store DES password hashes for the root, super, and admin accounts, which makes it easier for context-dependent attackers to obtain sensitive information via a brute-force attack. | 4.7 |
2014-04-16 | CVE-2011-4089 | Bzip | Permissions, Privileges, and Access Controls vulnerability in Bzip Bzip2 The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory. | 4.6 |
2014-04-16 | CVE-2014-0442 | Oracle SUN | Local Security vulnerability in Oracle Solaris Unspecified vulnerability in Oracle Solaris 9, 10, and 11.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Print Filter Utility. | 4.6 |
2014-04-16 | CVE-2014-0421 | SUN | Local Security vulnerability in SUN Sunos 5.10 Unspecified vulnerability in Oracle Solaris 10, when running on the SPARC64-X Platform, allows local users to affect confidentiality, integrity, and availability via unknown vectors. | 4.6 |
2014-04-15 | CVE-2014-0924 | IBM | Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 does not verify that all of the characters of a password are correct, which makes it easier for remote authenticated users to bypass intended access restrictions by leveraging knowledge of a password substring. | 4.6 |
2014-04-17 | CVE-2014-1932 | Python Pythonware | Link Following vulnerability in multiple products The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. | 4.4 |
2014-04-16 | CVE-2014-2441 | Oracle | Local Security vulnerability in Oracle VM VirtualBox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.32, 4.2.24, and 4.3.10 allows local users to affect confidentiality, integrity, and availability via vectors related to Graphics driver (WDDM) for Windows guests. | 4.4 |
2014-04-15 | CVE-2008-3277 | Openfabrics Redhat | Path Traversal vulnerability in Openfabrics Ibutils 1.211.2/1.5.72 Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse program in refix/lib/, related to an incorrect RPATH setting in the ELF header. | 4.4 |
2014-04-15 | CVE-2014-2580 | XEN | Resource Management Errors vulnerability in XEN The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface. | 4.4 |
2014-04-18 | CVE-2014-2288 | Digium | Improper Input Validation vulnerability in Digium Asterisk 12.0.0/12.1.0 The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request. | 4.3 |
2014-04-18 | CVE-2014-2856 | Apple | Cross-Site Scripting vulnerability in Apple Cups Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function. | 4.3 |
2014-04-17 | CVE-2014-2879 | Sonicwall | Cross-Site Scripting vulnerability in Sonicwall Email Security Appliance Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2) the uploadLicenses parameter in the License management (settings_upload_dlicense.html) page. | 4.3 |
2014-04-17 | CVE-2014-0984 | SAP | Permissions, Privileges, and Access Controls vulnerability in SAP Router 710/720/721 The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack. | 4.3 |
2014-04-16 | CVE-2011-4193 | Suse | Cross-Site Scripting vulnerability in Suse Studio Extension for System Z and Studio Onsite Cross-site scripting (XSS) vulnerability in the overlay files tab in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted application, related to cloning. | 4.3 |
2014-04-16 | CVE-2014-2471 | Oracle | Remote Security vulnerability in Oracle Ilearning 6.0/6.1 Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect integrity via unknown vectors related to Learner Pages. | 4.3 |
2014-04-16 | CVE-2014-2468 | Oracle | Remote Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2 Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Open_UI, a different vulnerability than CVE-2014-4230. | 4.3 |
2014-04-16 | CVE-2014-2465 | Oracle | Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3 Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote attackers to affect integrity via unknown vectors related to Security. | 4.3 |
2014-04-16 | CVE-2014-2463 | Oracle | Remote Security vulnerability in Oracle Secure Global Desktop (SGD) Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization 4.63, 4.71, 5.0, and 5.1 allows remote attackers to affect integrity via unknown vectors related to Workspace Web Application, a different vulnerability than CVE-2014-4232. | 4.3 |
2014-04-16 | CVE-2014-2458 | Oracle | Remote Security vulnerability in Oracle Supply Chain products Suite 6.1.0.3/6.1.1.3 Unspecified vulnerability in the Oracle Agile Product Lifecycle component in Oracle Supply Chain Products Suite 6.1.0.3 and 6.1.1.3 allows remote attackers to affect integrity via unknown vectors related to Install. | 4.3 |
2014-04-16 | CVE-2014-2457 | Oracle | Remote Security vulnerability in Oracle Supply Chain products Suite 6.0.0/6.1.0 Unspecified vulnerability in the Oracle Agile Product Lifecycle component in Oracle Supply Chain Products Suite 6.0 and 6.1.0 allows remote attackers to affect integrity via unknown vectors related to Install. | 4.3 |
2014-04-16 | CVE-2014-2454 | Oracle | Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3 Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote attackers to affect confidentiality via unknown vectors related to User Interface. | 4.3 |
2014-04-16 | CVE-2014-2453 | Oracle | Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3 Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote attackers to affect integrity via unknown vectors related to User Interface. | 4.3 |
2014-04-16 | CVE-2014-2443 | Oracle | Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53 Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology. | 4.3 |
2014-04-16 | CVE-2014-2413 | Canonical Oracle | Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Libraries. | 4.3 |
2014-04-16 | CVE-2014-2400 | Oracle | Cross-Site Scripting vulnerability in Oracle Fusion Middleware 2.2.2 Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 2.2.2 allows remote attackers to affect integrity via unknown vectors related to Oracle Endeca Information Discovery (Formerly Latitude), a different vulnerability than CVE-2014-2399. | 4.3 |
2014-04-16 | CVE-2014-2399 | Oracle | Cross-Site Request Forgery vulnerability in Oracle Fusion Middleware 2.2.2 Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 2.2.2 allows remote attackers to affect integrity via unknown vectors related to Oracle Endeca Information Discovery (Formerly Latitude), a different vulnerability than CVE-2014-2400. | 4.3 |
2014-04-16 | CVE-2014-0464 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0463. | 4.3 |
2014-04-16 | CVE-2014-0463 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0464. | 4.3 |
2014-04-16 | CVE-2014-0459 | Canonical Oracle Debian | Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect availability via unknown vectors related to 2D. | 4.3 |
2014-04-16 | CVE-2014-0426 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5 Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via vectors related to HTTP Request Handling, a different vulnerability than CVE-2014-0413. | 4.3 |
2014-04-16 | CVE-2014-0413 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5 Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via vectors related to HTTP Request Handling, a different vulnerability than CVE-2014-0426. | 4.3 |
2014-04-15 | CVE-2014-2861 | Paperthin | Unspecified vulnerability in Paperthin Commonspot Content Server Incomplete blacklist vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string, as demonstrated by bypassing a protection mechanism that removes only the "alert" string. | 4.3 |
2014-04-15 | CVE-2014-2860 | Paperthin | Cross-Site Scripting vulnerability in Paperthin Commonspot Content Server Multiple cross-site scripting (XSS) vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to inject arbitrary web script or HTML via a crafted HTTP request to a (1) ColdFusion or (2) JavaScript component. | 4.3 |
2014-04-15 | CVE-2014-0923 | IBM | Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (daemon restart) via crafted MQ Telemetry Transport (MQTT) authentication data. | 4.3 |
2014-04-15 | CVE-2014-0922 | IBM | Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (resource consumption) via WebSockets MQ Telemetry Transport (MQTT) data. | 4.3 |
2014-04-15 | CVE-2014-0921 | IBM | Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client The server in IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (daemon crash and message data loss) via malformed headers during a WebSockets connection upgrade. | 4.3 |
2014-04-15 | CVE-2013-7368 | Raoul Proenca | Cross-Site Scripting vulnerability in Raoul Proenca Gnew 2013.1 Multiple cross-site scripting (XSS) vulnerabilities in Gnew 2013.1 allow remote attackers to inject arbitrary web script or HTML via the gnew_template parameter to (1) users/profile.php, (2) articles/index.php, or (3) admin/polls.php; (4) category_id parameter to news/submit.php; news_id parameter to (5) news/send.php or (6) comments/add.php; or (7) post_subject or (8) thread_id parameter to posts/edit.php. | 4.3 |
2014-04-14 | CVE-2014-2712 | Juniper | Cross-Site Scripting vulnerability in Juniper Junos Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 10.0S25, 10.4 before 10.4R10, 11.4 before 11.4R11, 12.1 before 12.1R9, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, 12.1X46 before 12.1X46-D10, and 12.2 before 12.2R1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to index.php. | 4.3 |
2014-04-14 | CVE-2014-2711 | Juniper | Cross-Site Scripting vulnerability in Juniper Junos Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 11.4R11, 11.4X27 before 11.4X27.62 (BBE), 12.1 before 12.1R9, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.2 before 12.2R7, 12.3 before 12.3R6, 13.1 before 13.1R4, 13.2 before 13.2R3, and 13.3 before 13.3R1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2014-04-20 | CVE-2014-2665 | Mediawiki | Improper Authentication vulnerability in Mediawiki includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. | 4.0 |
2014-04-19 | CVE-2013-6214 | HP | Information Disclosure vulnerability in HP Universal Configuration Management Database 10.01/10.10/9.05 Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042. | 4.0 |
2014-04-18 | CVE-2014-2522 | Haxx Microsoft | Improper Input Validation vulnerability in Haxx Curl and Libcurl curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. | 4.0 |
2014-04-16 | CVE-2014-1453 | Freebsd | Resource Management Errors vulnerability in Freebsd The NFS server (nfsserver) in FreeBSD 8.3 through 10.0 does not acquire locks in the proper order when converting a directory file handle to a vnode, which allows remote authenticated users to cause a denial of service (deadlock) via vectors involving a thread that uses the correct locking order. | 4.0 |
2014-04-16 | CVE-2014-2460 | Oracle | Remote Security vulnerability in Oracle Transportation Management Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2, and 6.3.3 allows remote authenticated users to affect confidentiality via vectors related to CSV Management. | 4.0 |
2014-04-16 | CVE-2014-2452 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.5.0 Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5 allows remote authenticated users to affect availability via unknown vectors related to Webserver Plugin. | 4.0 |
2014-04-16 | CVE-2014-2450 | Oracle | Remote Security vulnerability in Oracle MySQL Server Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. | 4.0 |
2014-04-16 | CVE-2014-2449 | Oracle | Security vulnerability in Oracle Peoplesoft products 9.0/9.1/9.2 Unspecified vulnerability in the PeopleSoft Enterprise HRMS Talent Acquisition Manager component in Oracle PeopleSoft Products 9.0, 9.1, and 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. | 4.0 |
2014-04-16 | CVE-2014-2446 | Oracle | Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53 Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via vectors related to QAS. | 4.0 |
2014-04-16 | CVE-2014-2442 | Oracle | Remote Security vulnerability in Oracle MySQL Server Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to MyISAM. | 4.0 |
2014-04-16 | CVE-2014-2435 | Oracle | Remote Security vulnerability in Oracle MySQL Server Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. | 4.0 |
2014-04-16 | CVE-2014-2434 | Oracle | Remote Security vulnerability in Oracle MySQL Server Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to DML. | 4.0 |
2014-04-16 | CVE-2014-2429 | Oracle | Remote Security vulnerability in Oracle Peoplesoft products 9.0 Unspecified vulnerability in the PeopleSoft Enterprise CS Campus Self Service component in Oracle PeopleSoft Products 9.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Campus Mobile. | 4.0 |
2014-04-16 | CVE-2014-2425 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware 8.0 Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect confidentiality via unknown vectors. | 4.0 |
2014-04-16 | CVE-2014-2424 | Oracle | Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.7.0 Unspecified vulnerability in the Oracle Event Processing component in Oracle Fusion Middleware 11.1.1.7.0 allows remote authenticated users to affect integrity via vectors related to CEP system. | 4.0 |
2014-04-16 | CVE-2014-2419 | Oracle Mariadb Redhat | Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. | 4.0 |
2014-04-16 | CVE-2014-2404 | Oracle | Remote Security vulnerability in Oracle Access Manager Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, and 11.1.2.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to WebGate. | 4.0 |
2014-04-16 | CVE-2014-0453 | Oracle Canonical Juniper Debian IBM | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. | 4.0 |
2014-04-16 | CVE-2014-0384 | Oracle Mariadb Redhat | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML. | 4.0 |
2014-04-14 | CVE-2010-5298 | Openssl Mariadb Fedoraproject Suse | Race Condition vulnerability in multiple products Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment. | 4.0 |
26 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-04-19 | CVE-2013-6219 | HP | Local Unauthorized Access vulnerability in HP Hp-Ux Whitelisting A.01.02 Unspecified vulnerability in HP HP-UX Whitelisting (aka WLI) before A.01.02.02 on HP-UX B.11.31 allows local users to bypass intended access restrictions via unknown vectors. | 3.8 |
2014-04-16 | CVE-2014-2459 | Oracle | Local Security vulnerability in Oracle Transportation Management Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.3.2 and 6.3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Security. | 3.7 |
2014-04-16 | CVE-2011-4406 | Canonical | Permissions, Privileges, and Access Controls vulnerability in Canonical Accountsservice and Ubuntu Linux The Ubuntu AccountsService package before 0.6.14-1git1ubuntu1.1 does not properly drop privileges when changing language settings, which allows local users to modify arbitrary files via unspecified vectors. | 3.6 |
2014-04-18 | CVE-2014-2289 | Digium | Improper Input Validation vulnerability in Digium Asterisk 12.0.0/12.1.0 res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 allows remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept headers, which triggers an invalid pointer dereference. | 3.5 |
2014-04-18 | CVE-2014-2287 | Digium Fedoraproject | Improper Input Validation vulnerability in multiple products channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value. | 3.5 |
2014-04-18 | CVE-2014-2844 | F Secure | Cross-Site Scripting vulnerability in F-Secure Secure Messaging Secure Gateway 7.5.0 Cross-site scripting (XSS) vulnerability in F-Secure Messaging Secure Gateway 7.5.0 before Patch 1862 allows remote authenticated administrators to inject arbitrary web script or HTML via the new parameter in the SysUser module to admin. | 3.5 |
2014-04-16 | CVE-2014-2467 | Oracle | Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3 Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2014-2445. | 3.5 |
2014-04-16 | CVE-2014-2464 | Oracle | Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3 Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. | 3.5 |
2014-04-16 | CVE-2014-2451 | Oracle | Remote Security vulnerability in Oracle MySQL Server Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Privileges. | 3.5 |
2014-04-16 | CVE-2014-2445 | Oracle | Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3 Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2014-2467. | 3.5 |
2014-04-16 | CVE-2014-2438 | Oracle Mariadb Redhat | Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. | 3.5 |
2014-04-16 | CVE-2014-2430 | Oracle Mariadb Redhat | Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. | 3.5 |
2014-04-16 | CVE-2014-2398 | Canonical Oracle Debian IBM | Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and JRockit R27.8.1 and R28.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Javadoc. | 3.5 |
2014-04-16 | CVE-2014-0465 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware 8.0 Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via unknown vectors related to Admin Console. | 3.5 |
2014-04-15 | CVE-2014-0348 | Ontariosystems | Improper Authentication vulnerability in Ontariosystems products The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding username on a Windows client machine. | 3.5 |
2014-04-15 | CVE-2014-0341 | Pivotx | Cross-Site Scripting vulnerability in Pivotx Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to objects.php; or the (5) email or (6) nickname field to pages.php, related to templates_internal/users.tpl. | 3.5 |
2014-04-16 | CVE-2014-2432 | Oracle Redhat Mariadb | Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated. | 2.8 |
2014-04-16 | CVE-2014-2420 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Deployment. | 2.6 |
2014-04-18 | CVE-2012-6646 | F Secure | Local Security Bypass vulnerability in F-Secure Anti-Virus, PSB Workstation Security and Safe Anywhere F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors. | 2.1 |
2014-04-17 | CVE-2014-1933 | Python Pythonware | Permissions, Privileges, and Access Controls vulnerability in multiple products The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. | 2.1 |
2014-04-17 | CVE-2014-0085 | Redhat | Credentials Management vulnerability in Redhat Jboss A-Mq and Jboss Fuse JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. | 2.1 |
2014-04-16 | CVE-2013-1764 | Packagekit Project | Permissions, Privileges, and Access Controls vulnerability in Packagekit Project Packagekit The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method. | 2.1 |
2014-04-16 | CVE-2011-0993 | Novell | Permissions, Privileges, and Access Controls vulnerability in Novell Suse Lifecycle Management Server 1.0 SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors. | 2.1 |
2014-04-16 | CVE-2014-2466 | Oracle | Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3 Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. | 2.1 |
2014-04-15 | CVE-2014-2690 | Citrix | Permissions, Privileges, and Access Controls vulnerability in Citrix Vdi-In-A-Box Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows local users to obtain administrator credentials by reading the log. | 2.1 |
2014-04-17 | CVE-2011-3154 | Canonical | Link Following vulnerability in Canonical Ubuntu Linux and Update-Manager DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file content for a user via a symlink attack on the temporary file. | 1.9 |