Weekly Vulnerabilities Reports > April 14 to 20, 2014

Overview

233 new vulnerabilities reported during this period, including 21 critical vulnerabilities and 38 high severity vulnerabilities. This weekly summary report vulnerabilities in 149 products from 70 vendors including Oracle, Paperthin, HP, Canonical, and Juniper. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Improper Input Validation", "Cross-site Scripting", "Improper Authentication", and "Information Exposure".

  • 198 reported vulnerabilities are remotely exploitables.
  • 9 reported vulnerabilities have public exploit available.
  • 31 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 174 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 101 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

21 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-04-19 CVE-2013-6218 HP Unspecified vulnerability in HP Network Node Manager I

Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

10.0
2014-04-19 CVE-2013-6213 HP Remote Code Execution vulnerability in HP LoadRunner Virtual User Generator

Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

10.0
2014-04-18 CVE-2013-4290 Uclouvain Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Uclouvain Openjpeg

Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote attackers to have unspecified impact via unknown vectors to (1) lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, or (3) lib/openjp3d/event.c.

10.0
2014-04-18 CVE-2013-4289 Uclouvain Numeric Errors vulnerability in Uclouvain Openjpeg

Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2 allow remote attackers to have unspecified impact and vectors, which trigger a heap-based buffer overflow.

10.0
2014-04-16 CVE-2014-2421 Oracle Unspecified vulnerability in Oracle Javafx, JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

10.0
2014-04-16 CVE-2014-0457 Oracle Unspecified vulnerability in Oracle Jdk, JRE and Jrockit

Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

10.0
2014-04-16 CVE-2014-0456 Oracle
Juniper
Canonical
Debian
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
10.0
2014-04-16 CVE-2014-0429 Canonical
Debian
Oracle
Juniper
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
10.0
2014-04-15 CVE-2014-2874 Paperthin OS Command Injection vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to execute arbitrary code via shell metacharacters in an unspecified context.

10.0
2014-04-15 CVE-2014-2867 Paperthin Unspecified vulnerability in Paperthin Commonspot Content Server

Unrestricted file upload vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to execute arbitrary code by uploading a ColdFusion page, and then accessing it via unspecified vectors.

10.0
2014-04-15 CVE-2014-2866 Paperthin Code Injection vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on client JavaScript code for access restrictions, which allows remote attackers to perform unspecified operations by modifying this code.

10.0
2014-04-15 CVE-2014-2864 Paperthin Path Traversal vulnerability in Paperthin Commonspot Content Server

Multiple directory traversal vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to have an unspecified impact via a filename parameter containing directory traversal sequences.

10.0
2014-04-15 CVE-2014-2863 Paperthin Path Traversal vulnerability in Paperthin Commonspot Content Server

Multiple absolute path traversal vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to have an unspecified impact via a full pathname in a parameter.

10.0
2014-04-19 CVE-2014-2731 Siemens Remote Code Execution vulnerability in Siemens Sinema Server 12.0

Multiple unspecified vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to execute arbitrary code via HTTP traffic to port (1) 4999 or (2) 80.

9.3
2014-04-16 CVE-2014-2410 Oracle Remote Security vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.

9.3
2014-04-16 CVE-2014-2397 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

9.3
2014-04-16 CVE-2014-0461 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

9.3
2014-04-16 CVE-2014-0455 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-2402.

9.3
2014-04-16 CVE-2014-0432 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0455 and CVE-2014-2402.

9.3
2014-04-15 CVE-2014-0514 Adobe Permissions, Privileges, and Access Controls vulnerability in Adobe Reader 11.1.0/11.1.3

The Adobe Reader Mobile application before 11.2 for Android does not properly restrict use of JavaScript, which allows remote attackers to execute arbitrary code via a crafted PDF document, a related issue to CVE-2012-6636.

9.3
2014-04-15 CVE-2014-0359 Xangati OS Command Injection vulnerability in Xangati Software Release and Xangati XNR

Xangati XSR before 11 and XNR before 7 allows remote attackers to execute arbitrary commands via shell metacharacters in a gui_input_test.pl params parameter to servlet/Installer.

9.0

38 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-04-19 CVE-2013-6215 HP Remote Code Execution vulnerability in HP Universal Configuration Management Database 10.01/10.10

Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

8.5
2014-04-16 CVE-2014-2406 Oracle Remote Security vulnerability in Oracle Database

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to "Advisor" and "Select Any Dictionary" privileges.

8.5
2014-04-17 CVE-2014-2707 Linuxfoundation OS Command Injection vulnerability in Linuxfoundation Cups-Filters

cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."

8.3
2014-04-15 CVE-2014-0356 Zyxel OS Command Injection vulnerability in Zyxel products

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to execute arbitrary code via shell metacharacters in input to the (1) detectWeather, (2) set_language, (3) SystemCommand, or (4) NTPSyncWithHost function in management.c, or a (5) SET COUNTRY, (6) SET WLAN SSID, (7) SET WLAN CHANNEL, (8) SET WLAN STATUS, or (9) SET WLAN COUNTRY udps command.

7.9
2014-04-15 CVE-2014-0355 Zyxel Buffer Errors vulnerability in Zyxel products

Multiple stack-based buffer overflows on the ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allow man-in-the-middle attackers to execute arbitrary code via (1) a long temp attribute in a yweather:condition element in a forecastrss file that is processed by the checkWeather function; the (2) WeatherCity or (3) WeatherDegree variable to the detectWeather function; unspecified input to the (4) UpnpAddRunRLQoS, (5) UpnpDeleteRunRLQoS, or (6) UpnpDeletePortCheckType function; or (7) the SET COUNTRY udps command.

7.9
2014-04-19 CVE-2014-1983 Cybozu Denial of Service vulnerability in Cybozu Remote Service Manager

Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors.

7.8
2014-04-17 CVE-2014-0644 EMC Information Exposure vulnerability in EMC products

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.

7.8
2014-04-15 CVE-2014-2842 Juniper Resource Management Errors vulnerability in Juniper Screenos

Juniper ScreenOS 6.3 and earlier allows remote attackers to cause a denial of service (crash and restart or failover) via a malformed SSL/TLS packet.

7.8
2014-04-15 CVE-2014-2828 Openstack Improper Authentication vulnerability in Openstack Keystone

The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining."

7.8
2014-04-15 CVE-2014-0358 Xangati Path Traversal vulnerability in Xangati Software Release and Xangati XNR

Multiple directory traversal vulnerabilities in Xangati XSR before 11 and XNR before 7 allow remote attackers to read arbitrary files via a ..

7.8
2014-04-15 CVE-2014-0354 Zyxel Credentials Management vulnerability in Zyxel products

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 has a hardcoded password of qweasdzxc for an unspecified account, which allows remote attackers to obtain index.asp login access via an HTTP request.

7.8
2014-04-16 CVE-2014-2428 Oracle
IBM
HP
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
7.6
2014-04-16 CVE-2014-0448 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

7.6
2014-04-18 CVE-2014-2286 Digium
Fedoraproject
Improper Input Validation vulnerability in multiple products

main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.

7.5
2014-04-18 CVE-2013-7369 F Secure SQL Injection vulnerability in F-Secure products

SQL injection vulnerability in an unspecified DLL in the FSDBCom ActiveX control in F-Secure Anti-Virus for Microsoft Exchange Server before HF02, Anti-Virus for Windows Servers 9.00 before HF09, Anti-Virus for Citrix Servers 9.00 before HF09, and F-Secure Email and Server Security and F-Secure Server Security 9.20 before HF01 allows remote attackers to execute arbitrary SQL commands via unknown vectors, related to GetCommand.

7.5
2014-04-16 CVE-2013-4694 Nullsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nullsoft Winamp

Stack-based buffer overflow in gen_jumpex.dll in Winamp before 5.64 Build 3418 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a package with a long Skin directory name.

7.5
2014-04-16 CVE-2011-4195 Suse Unspecified vulnerability in Suse Kiwi, Studio Extension for System Z and Studio Onsite

kiwi before 4.98.05, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in an image name.

7.5
2014-04-16 CVE-2011-4192 Suse Unspecified vulnerability in Suse Kiwi, Studio Extension for System Z and Studio Onsite

kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile." Per: https://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"

7.5
2014-04-16 CVE-2011-3180 Suse Unspecified vulnerability in Suse Kiwi, Studio Extension for System Z and Studio Onsite

kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

7.5
2014-04-16 CVE-2014-2470 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Security.

7.5
2014-04-16 CVE-2014-2427 IBM
Canonical
Oracle
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound.
7.5
2014-04-16 CVE-2014-2423 IBM
Oracle
HP
Canonical
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458.
7.5
2014-04-16 CVE-2014-2414 IBM
Canonical
Oracle
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXB.
7.5
2014-04-16 CVE-2014-2412 Oracle
Canonical
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-0451.
7.5
2014-04-16 CVE-2014-2402 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-0455.

7.5
2014-04-16 CVE-2014-0458 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423.

7.5
2014-04-16 CVE-2014-0454 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security.

7.5
2014-04-16 CVE-2014-0452 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423.

7.5
2014-04-16 CVE-2014-0451 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-2412.

7.5
2014-04-16 CVE-2014-0446 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

7.5
2014-04-15 CVE-2014-2868 Paperthin Unspecified vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to modify the flow of execution of ColdFusion code by using an HTTP GET request to set a ColdFusion variable.

7.5
2014-04-15 CVE-2014-2865 Paperthin Permissions, Privileges, and Access Controls vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a '\0' character, as demonstrated by using this character within a pathname on the drive containing the web root directory of a ColdFusion installation.

7.5
2014-04-15 CVE-2014-2859 Paperthin Permissions, Privileges, and Access Controls vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a direct request.

7.5
2014-04-15 CVE-2014-0107 Apache
Oracle
Permissions, Privileges, and Access Controls vulnerability in multiple products

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

7.5
2014-04-15 CVE-2014-0342 Pivotx Arbitrary File Upload vulnerability in PivotX 'fileupload.php'

Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

7.5
2014-04-14 CVE-2014-2706 Linux
Oracle
Suse
Race Condition vulnerability in multiple products

Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.

7.1
2014-04-14 CVE-2014-2714 Juniper Improper Input Validation vulnerability in Juniper Junos

The Enhanced Web Filtering (EWF) in Juniper Junos before 10.4R15, 11.4 before 11.4R9, 12.1 before 12.1R7, 12.1X44 before 12.1X44-D20, 12.1X45 before 12.1X45-D10, and 12.1X46 before 12.1X46-D10, as used in the SRX Series services gateways, allows remote attackers to cause a denial of service (flow daemon crash and restart) via a crafted URL.

7.1
2014-04-14 CVE-2014-0614 Juniper Denial of Service vulnerability in Juniper Junos 13.2/13.3

Juniper Junos 13.2 before 13.2R3 and 13.3 before 13.3R1, when PIM is enabled, allows remote attackers to cause a denial of service (kernel panic and crash) via a large number of crafted IGMP packets.

7.1

147 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-04-15 CVE-2011-3628 Canonical Unspecified vulnerability in Canonical Libpam-Modules and Ubuntu Linux

Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS, when using certain configurations such as "session optional pam_motd.so", allows local users to gain privileges by modifying the PATH environment variable to reference a malicious command, as demonstrated via uname.

6.9
2014-04-14 CVE-2014-2851 Linux
Debian
USE After Free vulnerability in multiple products

Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.

6.9
2014-04-19 CVE-2014-1990 Toshibatec Cross-Site Request Forgery (CSRF) vulnerability in Toshibatec products

Cross-site request forgery (CSRF) vulnerability in TopAccess (aka the web-based management utility) on TOSHIBA TEC e-Studio 232, 233, 282, and 283 devices allows remote attackers to hijack the authentication of administrators for requests that change passwords.

6.8
2014-04-19 CVE-2014-1984 Cybozu Improper Authentication vulnerability in Cybozu Remote Service Manager

Session fixation vulnerability in the management screen in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to hijack web sessions via unspecified vectors.

6.8
2014-04-17 CVE-2014-0054 Springsource Cross-Site Request Forgery (CSRF) vulnerability in Springsource Spring Framework

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.

6.8
2014-04-17 CVE-2014-0036 Amos Benari Cryptographic Issues vulnerability in Amos Benari Rbovirt

The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

6.8
2014-04-16 CVE-2014-2422 HP
Oracle
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2.51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
6.8
2014-04-16 CVE-2014-2408 Oracle Remote Security vulnerability in Oracle Database

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to the "Grant Any Object Privilege."

6.6
2014-04-19 CVE-2013-6212 HP Information Disclosure vulnerability in HP Database and Middleware Automation

Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

6.5
2014-04-17 CVE-2014-0111 Apache Code Injection vulnerability in Apache Syncope

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."

6.5
2014-04-17 CVE-2013-2143 Redhat
Theforeman
Improper Input Validation vulnerability in multiple products

The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

6.5
2014-04-16 CVE-2014-2444 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to InnoDB.

6.5
2014-04-16 CVE-2014-2411 Oracle Remote Security vulnerability in Oracle Identity Analytics

Unspecified vulnerability in the Oracle Identity Analytics component in Oracle Fusion Middleware Oracle Identity Analytics 11.1.1.5 and Sun Role Manager 5.0 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Security.

6.5
2014-04-15 CVE-2014-2862 Paperthin Permissions, Privileges, and Access Controls vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check authorization in unspecified situations, which allows remote authenticated users to perform actions via unknown vectors.

6.5
2014-04-19 CVE-2014-1974 Lyesoft Path Traversal vulnerability in Lyesoft Andexplorer

Directory traversal vulnerability in the LYSESOFT AndExplorer application before 20140403 and AndExplorerPro application before 20140405 for Android allows attackers to overwrite or create arbitrary files via unspecified vectors.

6.4
2014-04-17 CVE-2014-0071 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Openstack 4.0

PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

6.4
2014-04-16 CVE-2014-2338 Strongswan Improper Authentication vulnerability in Strongswan

IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set to established.

6.4
2014-04-16 CVE-2014-2439 Oracle Remote Security vulnerability in Oracle Secure Global Desktop (SGD)

Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Workspace Web Application.

6.4
2014-04-16 CVE-2014-2409 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment.

6.4
2014-04-15 CVE-2014-0138 Haxx
Debian
Improper Authentication vulnerability in multiple products

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.

6.4
2014-04-18 CVE-2012-0871 Lennart Poettering
Opensuse
Link Following vulnerability in multiple products

The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

6.3
2014-04-16 CVE-2011-0460 KBD Project
Opensuse
Link Following vulnerability in multiple products

The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

6.3
2014-04-15 CVE-2014-0353 Zyxel Improper Authentication vulnerability in Zyxel products

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to bypass authentication by using %2F sequences in place of / (slash) characters.

6.1
2014-04-16 CVE-2014-2455 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to User Interface.

6.0
2014-04-16 CVE-2014-2436 Oracle Remote Security vulnerability in Oracle Mysql and Solaris

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR.

6.0
2014-04-15 CVE-2010-2236 Redhat Improper Input Validation vulnerability in Redhat Network Proxy, Network Satellite and Spacewalk-Java

The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, related to backticks.

6.0
2014-04-15 CVE-2014-0167 Openstack Permissions, Privileges, and Access Controls vulnerability in Openstack Compute and Icehouse

The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.

6.0
2014-04-15 CVE-2014-0105 Openstack Credentials Management vulnerability in Openstack Python-Keystoneclient

The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."

6.0
2014-04-17 CVE-2014-2880 Oracle Improper Input Validation vulnerability in Oracle Identity Manager 11.1.2.1.0

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.

5.8
2014-04-16 CVE-2014-0460 Oracle
Juniper
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via vectors related to JNDI.
5.8
2014-04-15 CVE-2013-6456 Redhat
Fedoraproject
Link Following vulnerability in multiple products

The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to "paths under /proc/$PID/root" and the virInitctlSetRunLevel function.

5.8
2014-04-15 CVE-2014-1986 Kokuyo Permissions, Privileges, and Access Controls vulnerability in Kokuyo Camiapp 1.21.1

The Content Provider in the KOKUYO CamiApp application 1.21.1 and earlier for Android allows attackers to bypass intended access restrictions and read database information via a crafted application.

5.8
2014-04-15 CVE-2014-0139 Haxx Cryptographic Issues vulnerability in Haxx Curl and Libcurl

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

5.8
2014-04-18 CVE-2013-7196 Phpfox Permissions, Privileges, and Access Controls vulnerability in PHPfox 3.7.3/3.7.4/3.7.5

static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authenticated users to bypass intended "Only Me" restrictions and comment on a private publication via a request with a modified val[item_id] parameter for the publication.

5.5
2014-04-18 CVE-2013-7195 Phpfox Permissions, Privileges, and Access Controls vulnerability in PHPfox 3.7.3/3.7.4

PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass intended "Only Me" restrictions and "like" a publication via a request that specifies the ID for the publication.

5.5
2014-04-15 CVE-2014-0642 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server

EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors.

5.5
2014-04-14 CVE-2014-0155 Linux Improper Input Validation vulnerability in Linux Kernel

The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC.

5.5
2014-04-14 CVE-2014-0077 Linux Out-Of-Bounds Write vulnerability in Linux Kernel

drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.

5.5
2014-04-16 CVE-2014-2440 Oracle Remote Security vulnerability in Oracle Mysql and Solaris

Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

5.1
2014-04-19 CVE-2014-2155 Cisco Improper Input Validation vulnerability in Cisco CNS Network Registrar 7.1

The DHCPv6 server module in Cisco CNS Network Registrar 7.1 allows remote attackers to cause a denial of service (daemon reload) via a malformed DHCPv6 packet, aka Bug ID CSCuo07437.

5.0
2014-04-19 CVE-2014-2733 Siemens Improper Input Validation vulnerability in Siemens Sinema Server 12.0

Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a denial of service (web-interface outage) via crafted HTTP requests to port (1) 4999 or (2) 80.

5.0
2014-04-19 CVE-2014-2732 Siemens Path Traversal vulnerability in Siemens Sinema Server 12.0

Multiple directory traversal vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80.

5.0
2014-04-19 CVE-2014-0778 Progea Information Exposure vulnerability in Progea Movicon 11.4

The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.

5.0
2014-04-18 CVE-2013-4279 Gilles Lamiral Information Exposure vulnerability in Gilles Lamiral Imapsync

imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

5.0
2014-04-17 CVE-2014-2469 Oracle Remote Denial of Service vulnerability in Oracle Sunos 5.11.1

Unspecified vulnerability in lighttpd in Oracle Solaris 11.1 allows attackers to cause a denial of service via unknown vectors.

5.0
2014-04-17 CVE-2014-2310 NET Snmp Improper Input Validation vulnerability in Net-Snmp

The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers to cause a denial of service (hang) by sending a multi-object request with an Object ID (OID) containing more subids than previous requests, a different vulnerability than CVE-2012-6151.

5.0
2014-04-16 CVE-2014-2461 Oracle Remote Security vulnerability in Oracle Transportation Management

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2, and 6.3.3 allows remote attackers to affect confidentiality via unknown vectors related to Security.

5.0
2014-04-16 CVE-2014-2448 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Install and Packaging.

5.0
2014-04-16 CVE-2014-2447 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Integration Broker, a different vulnerability than CVE-2014-2437.

5.0
2014-04-16 CVE-2014-2437 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Integration Broker, a different vulnerability than CVE-2014-2447.

5.0
2014-04-16 CVE-2014-2433 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote attackers to affect availability via unknown vectors related to Integration Broker.

5.0
2014-04-16 CVE-2014-2418 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0

Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2415, CVE-2014-2416, and CVE-2014-2417.

5.0
2014-04-16 CVE-2014-2417 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0

Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2415, CVE-2014-2416, and CVE-2014-2418.

5.0
2014-04-16 CVE-2014-2416 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0

Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2415, CVE-2014-2417, and CVE-2014-2418.

5.0
2014-04-16 CVE-2014-2415 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0

Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2407, CVE-2014-2416, CVE-2014-2417, and CVE-2014-2418.

5.0
2014-04-16 CVE-2014-2407 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.3.0

Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality, a different vulnerability than CVE-2014-2415, CVE-2014-2416, CVE-2014-2417, and CVE-2014-2418.

5.0
2014-04-16 CVE-2014-2403 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via vectors related to JAXP.

5.0
2014-04-16 CVE-2014-2401 Oracle Unspecified vulnerability in Oracle Javafx, JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality via unknown vectors related to 2D.

5.0
2014-04-16 CVE-2014-0450 Oracle Information Disclosure vulnerability in Oracle Fusion Middleware 11.1.1.7.0/11.1.1.8.0

Unspecified vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect confidentiality via unknown vectors related to People Connection.

5.0
2014-04-16 CVE-2014-0449 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via unknown vectors related to Deployment.

5.0
2014-04-16 CVE-2014-0414 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5

Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via vectors related to HTTP Request Handling.

5.0
2014-04-16 CVE-2013-4768 Eucalyptus Improper Input Validation vulnerability in Eucalyptus

The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

5.0
2014-04-15 CVE-2014-2858 Gopivotal Path Traversal vulnerability in Gopivotal Grails and Grails-Resources

Directory traversal vulnerability in the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 allows remote attackers to obtain sensitive information via unspecified vectors related to a "configured block." NOTE: this issue was SPLIT from CVE-2014-0053 per ADT2 due to different vulnerability types.

5.0
2014-04-15 CVE-2014-2857 Gopivotal Permissions, Privileges, and Access Controls vulnerability in Gopivotal Grails and Grails-Resources

The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 does not properly restrict access to files in the META-INF directory, which allows remote attackers to obtain sensitive information via a direct request.

5.0
2014-04-15 CVE-2014-0053 Gopivotal Permissions, Privileges, and Access Controls vulnerability in Gopivotal Grails and Grails-Resources

The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request.

5.0
2014-04-15 CVE-2014-2873 Paperthin Information Exposure vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not require authentication for access to log files, which allows remote attackers to obtain sensitive server information by using a predictable name in a request for a file.

5.0
2014-04-15 CVE-2014-2872 Paperthin Information Exposure vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain potentially sensitive information from a directory listing via unspecified vectors.

5.0
2014-04-15 CVE-2014-2871 Paperthin Information Exposure vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on an HTTP session for entering credentials on login pages, which allows remote attackers to obtain sensitive information by sniffing the network.

5.0
2014-04-15 CVE-2014-2870 Paperthin Credentials Management vulnerability in Paperthin Commonspot Content Server

The default configuration of PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 uses cleartext for storage of credentials in a database, which makes it easier for context-dependent attackers to obtain sensitive information via unspecified vectors.

5.0
2014-04-15 CVE-2014-2869 Paperthin Information Exposure vulnerability in Paperthin Commonspot Content Server

PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain sensitive information via requests to unspecified URIs, as demonstrated by pathname, SQL server, e-mail address, and IP address information.

5.0
2014-04-15 CVE-2014-0357 Amtelco Improper Authentication vulnerability in Amtelco Misecuremessages

Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application.

5.0
2014-04-15 CVE-2013-5705 Trustwave
Debian
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
5.0
2014-04-15 CVE-2013-5704 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Http Server 2.2.22

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding.

5.0
2014-04-14 CVE-2014-2852 Openafs Improper Input Validation vulnerability in Openafs

OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckResponse fails, which allows remote attackers to cause a denial of service (performance degradation) via an invalid packet.

5.0
2014-04-14 CVE-2014-2713 Juniper Denial of Service vulnerability in Juniper Junos

Juniper Junos before 11.4R11, 12.1 before 12.1R9, 12.2 before 12.2R7, 12.3R4 before 12.3R4-S3, 13.1 before 13.1R4, 13.2 before 13.2R2, and 13.3 before 13.3R1, as used in MX Series and T4000 routers, allows remote attackers to cause a denial of service (PFE restart) via a crafted IP packet to certain (1) Trio or (2) Cassis-based Packet Forwarding Engine (PFE) modules.

5.0
2014-04-14 CVE-2014-0612 Juniper Denial of Service vulnerability in Juniper Junos Branch SRX Series

Unspecified vulnerability in Juniper Junos before 11.4R10-S1, before 11.4R11, 12.1X44 before 12.1X44-D26, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, and 12.1X46 before 12.1X46-D10, when Dynamic IPsec VPN is configured, allows remote attackers to cause a denial of service (new Dynamic VPN connection failures and CPU and disk consumption) via unknown vectors.

5.0
2014-04-14 CVE-2014-0159 Openafs
Debian
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in the GetStatistics64 remote procedure call (RPC) in OpenAFS 1.4.8 before 1.6.7 allows remote attackers to cause a denial of service (crash) via a crafted statsVersion argument.

5.0
2014-04-14 CVE-2014-0128 Squid Cache
Opensuse
Improper Input Validation vulnerability in multiple products

Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.

5.0
2014-04-18 CVE-2014-2597 Remote RAC Improper Input Validation vulnerability in Remote-Rac RAC Server 4.0.4/4.0.5

PCNetSoftware RAC Server 4.0.4 and 4.0.5 allows local users to cause a denial of service (disabled keyboard or crash) via a large input buffer to unspecified IOCTL requests in RACDriver.sys, which triggers a buffer over-read.

4.9
2014-04-18 CVE-2014-0150 Qemu
Redhat
Numeric Errors vulnerability in multiple products

Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.

4.9
2014-04-16 CVE-2014-2426 Oracle Remote Security vulnerability in Oracle Fusion Middleware 8.0

Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity and availability via unknown vectors related to Admin Console.

4.9
2014-04-16 CVE-2014-0447 Oracle
SUN
Local Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via unknown vectors related to Kernel, a different vulnerability than CVE-2013-5876.

4.9
2014-04-15 CVE-2014-2384 Vmware Resource Management Errors vulnerability in VMWare Player and Workstation

vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player 6.0.1 build 1379776 on Windows might allow local users to cause a denial of service (read access violation and system crash) via a crafted buffer in an IOCTL call.

4.9
2014-04-17 CVE-2014-0645 EMC Credentials Management vulnerability in EMC products

EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Management Appliance (FMA) 7.x store DES password hashes for the root, super, and admin accounts, which makes it easier for context-dependent attackers to obtain sensitive information via a brute-force attack.

4.7
2014-04-16 CVE-2011-4089 Bzip Permissions, Privileges, and Access Controls vulnerability in Bzip Bzip2

The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

4.6
2014-04-16 CVE-2014-0442 Oracle
SUN
Local Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 9, 10, and 11.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Print Filter Utility.

4.6
2014-04-16 CVE-2014-0421 SUN Local Security vulnerability in SUN Sunos 5.10

Unspecified vulnerability in Oracle Solaris 10, when running on the SPARC64-X Platform, allows local users to affect confidentiality, integrity, and availability via unknown vectors.

4.6
2014-04-15 CVE-2014-0924 IBM Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client

IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 does not verify that all of the characters of a password are correct, which makes it easier for remote authenticated users to bypass intended access restrictions by leveraging knowledge of a password substring.

4.6
2014-04-14 CVE-2014-2739 Linux Improper Input Validation vulnerability in Linux Kernel 3.14/3.14.1

The cma_req_handler function in drivers/infiniband/core/cma.c in the Linux kernel 3.14.x through 3.14.1 attempts to resolve an RDMA over Converged Ethernet (aka RoCE) address that is properly resolved within a different module, which allows remote attackers to cause a denial of service (incorrect pointer dereference and system crash) via crafted network traffic.

4.6
2014-04-17 CVE-2014-1932 Python
Pythonware
Link Following vulnerability in multiple products

The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

4.4
2014-04-16 CVE-2014-2441 Oracle Local Security vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.32, 4.2.24, and 4.3.10 allows local users to affect confidentiality, integrity, and availability via vectors related to Graphics driver (WDDM) for Windows guests.

4.4
2014-04-15 CVE-2008-3277 Openfabrics
Redhat
Path Traversal vulnerability in Openfabrics Ibutils 1.211.2/1.5.72

Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse program in refix/lib/, related to an incorrect RPATH setting in the ELF header.

4.4
2014-04-15 CVE-2014-2580 XEN Resource Management Errors vulnerability in XEN

The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface.

4.4
2014-04-18 CVE-2014-2288 Digium Improper Input Validation vulnerability in Digium Asterisk 12.0.0/12.1.0

The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request.

4.3
2014-04-18 CVE-2014-2014 Gilles Lamiral Credentials Management vulnerability in Gilles Lamiral Imapsync

imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.

4.3
2014-04-18 CVE-2014-2856 Apple Cross-Site Scripting vulnerability in Apple Cups

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.

4.3
2014-04-17 CVE-2014-2879 Sonicwall Cross-Site Scripting vulnerability in Sonicwall Email Security Appliance

Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2) the uploadLicenses parameter in the License management (settings_upload_dlicense.html) page.

4.3
2014-04-17 CVE-2014-0984 SAP Permissions, Privileges, and Access Controls vulnerability in SAP Router 710/720/721

The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.

4.3
2014-04-16 CVE-2011-4193 Suse Cross-Site Scripting vulnerability in Suse Studio Extension for System Z and Studio Onsite

Cross-site scripting (XSS) vulnerability in the overlay files tab in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted application, related to cloning.

4.3
2014-04-16 CVE-2014-2471 Oracle Remote Security vulnerability in Oracle Ilearning 6.0/6.1

Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect integrity via unknown vectors related to Learner Pages.

4.3
2014-04-16 CVE-2014-2468 Oracle Remote Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2

Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Open_UI, a different vulnerability than CVE-2014-4230.

4.3
2014-04-16 CVE-2014-2465 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3

Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote attackers to affect integrity via unknown vectors related to Security.

4.3
2014-04-16 CVE-2014-2463 Oracle Remote Security vulnerability in Oracle Secure Global Desktop (SGD)

Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization 4.63, 4.71, 5.0, and 5.1 allows remote attackers to affect integrity via unknown vectors related to Workspace Web Application, a different vulnerability than CVE-2014-4232.

4.3
2014-04-16 CVE-2014-2458 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 6.1.0.3/6.1.1.3

Unspecified vulnerability in the Oracle Agile Product Lifecycle component in Oracle Supply Chain Products Suite 6.1.0.3 and 6.1.1.3 allows remote attackers to affect integrity via unknown vectors related to Install.

4.3
2014-04-16 CVE-2014-2457 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 6.0.0/6.1.0

Unspecified vulnerability in the Oracle Agile Product Lifecycle component in Oracle Supply Chain Products Suite 6.0 and 6.1.0 allows remote attackers to affect integrity via unknown vectors related to Install.

4.3
2014-04-16 CVE-2014-2454 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote attackers to affect confidentiality via unknown vectors related to User Interface.

4.3
2014-04-16 CVE-2014-2453 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote attackers to affect integrity via unknown vectors related to User Interface.

4.3
2014-04-16 CVE-2014-2443 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology.

4.3
2014-04-16 CVE-2014-2413 Oracle
HP
Canonical
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Libraries.
4.3
2014-04-16 CVE-2014-2400 Oracle Cross-Site Scripting vulnerability in Oracle Fusion Middleware 2.2.2

Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 2.2.2 allows remote attackers to affect integrity via unknown vectors related to Oracle Endeca Information Discovery (Formerly Latitude), a different vulnerability than CVE-2014-2399.

4.3
2014-04-16 CVE-2014-2399 Oracle Cross-Site Request Forgery vulnerability in Oracle Fusion Middleware 2.2.2

Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 2.2.2 allows remote attackers to affect integrity via unknown vectors related to Oracle Endeca Information Discovery (Formerly Latitude), a different vulnerability than CVE-2014-2400.

4.3
2014-04-16 CVE-2014-0464 Oracle Remote Security vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0463.

4.3
2014-04-16 CVE-2014-0463 Oracle Remote Security vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0464.

4.3
2014-04-16 CVE-2014-0459 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect availability via unknown vectors related to 2D.

4.3
2014-04-16 CVE-2014-0426 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5

Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via vectors related to HTTP Request Handling, a different vulnerability than CVE-2014-0413.

4.3
2014-04-16 CVE-2014-0413 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5

Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via vectors related to HTTP Request Handling, a different vulnerability than CVE-2014-0426.

4.3
2014-04-15 CVE-2012-0214 Advanced Package Tool Permissions, Privileges, and Access Controls vulnerability in Advanced Package Tool Advanced Package Tool

The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user from downloading the new InRelease file, which leaves the original InRelease file active and makes it more difficult to detect that the Packages file is modified and unsigned.

4.3
2014-04-15 CVE-2014-2861 Paperthin Unspecified vulnerability in Paperthin Commonspot Content Server

Incomplete blacklist vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string, as demonstrated by bypassing a protection mechanism that removes only the "alert" string.

4.3
2014-04-15 CVE-2014-2860 Paperthin Cross-Site Scripting vulnerability in Paperthin Commonspot Content Server

Multiple cross-site scripting (XSS) vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to inject arbitrary web script or HTML via a crafted HTTP request to a (1) ColdFusion or (2) JavaScript component.

4.3
2014-04-15 CVE-2014-0923 IBM Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client

IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (daemon restart) via crafted MQ Telemetry Transport (MQTT) authentication data.

4.3
2014-04-15 CVE-2014-0922 IBM Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client

IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (resource consumption) via WebSockets MQ Telemetry Transport (MQTT) data.

4.3
2014-04-15 CVE-2014-0921 IBM Improper Input Validation vulnerability in IBM Messagesight and Messagesight JMS Client

The server in IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (daemon crash and message data loss) via malformed headers during a WebSockets connection upgrade.

4.3
2014-04-15 CVE-2013-7368 Raoul Proenca Cross-Site Scripting vulnerability in Raoul Proenca Gnew 2013.1

Multiple cross-site scripting (XSS) vulnerabilities in Gnew 2013.1 allow remote attackers to inject arbitrary web script or HTML via the gnew_template parameter to (1) users/profile.php, (2) articles/index.php, or (3) admin/polls.php; (4) category_id parameter to news/submit.php; news_id parameter to (5) news/send.php or (6) comments/add.php; or (7) post_subject or (8) thread_id parameter to posts/edit.php.

4.3
2014-04-15 CVE-2014-0157 Openstack
Opensuse
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template.

4.3
2014-04-14 CVE-2014-2712 Juniper Cross-Site Scripting vulnerability in Juniper Junos

Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 10.0S25, 10.4 before 10.4R10, 11.4 before 11.4R11, 12.1 before 12.1R9, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, 12.1X46 before 12.1X46-D10, and 12.2 before 12.2R1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to index.php.

4.3
2014-04-14 CVE-2014-2711 Juniper Cross-Site Scripting vulnerability in Juniper Junos

Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 11.4R11, 11.4X27 before 11.4X27.62 (BBE), 12.1 before 12.1R9, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.2 before 12.2R7, 12.3 before 12.3R6, 13.1 before 13.1R4, 13.2 before 13.2R3, and 13.3 before 13.3R1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-04-20 CVE-2014-2665 Mediawiki Improper Authentication vulnerability in Mediawiki

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

4.0
2014-04-20 CVE-2014-1517 Mozilla
Fedoraproject
Improper Authentication vulnerability in multiple products

The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue.

4.0
2014-04-19 CVE-2013-6214 HP Information Disclosure vulnerability in HP Universal Configuration Management Database 10.01/10.10/9.05

Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

4.0
2014-04-18 CVE-2014-2522 Haxx
Microsoft
Improper Input Validation vulnerability in Haxx Curl and Libcurl

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

4.0
2014-04-16 CVE-2014-1453 Freebsd Resource Management Errors vulnerability in Freebsd

The NFS server (nfsserver) in FreeBSD 8.3 through 10.0 does not acquire locks in the proper order when converting a directory file handle to a vnode, which allows remote authenticated users to cause a denial of service (deadlock) via vectors involving a thread that uses the correct locking order.

4.0
2014-04-16 CVE-2014-2460 Oracle Remote Security vulnerability in Oracle Transportation Management

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2, and 6.3.3 allows remote authenticated users to affect confidentiality via vectors related to CSV Management.

4.0
2014-04-16 CVE-2014-2452 Oracle Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.5.0

Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5 allows remote authenticated users to affect availability via unknown vectors related to Webserver Plugin.

4.0
2014-04-16 CVE-2014-2450 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.

4.0
2014-04-16 CVE-2014-2449 Oracle Security vulnerability in Oracle Peoplesoft products 9.0/9.1/9.2

Unspecified vulnerability in the PeopleSoft Enterprise HRMS Talent Acquisition Manager component in Oracle PeopleSoft Products 9.0, 9.1, and 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.

4.0
2014-04-16 CVE-2014-2446 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via vectors related to QAS.

4.0
2014-04-16 CVE-2014-2442 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to MyISAM.

4.0
2014-04-16 CVE-2014-2435 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.

4.0
2014-04-16 CVE-2014-2434 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to DML.

4.0
2014-04-16 CVE-2014-2429 Oracle Remote Security vulnerability in Oracle Peoplesoft products 9.0

Unspecified vulnerability in the PeopleSoft Enterprise CS Campus Self Service component in Oracle PeopleSoft Products 9.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Campus Mobile.

4.0
2014-04-16 CVE-2014-2425 Oracle Remote Security vulnerability in Oracle Fusion Middleware 8.0

Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect confidentiality via unknown vectors.

4.0
2014-04-16 CVE-2014-2424 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.7.0

Unspecified vulnerability in the Oracle Event Processing component in Oracle Fusion Middleware 11.1.1.7.0 allows remote authenticated users to affect integrity via vectors related to CEP system.

4.0
2014-04-16 CVE-2014-2419 Oracle Remote Security vulnerability in Oracle Mysql and Solaris

Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.

4.0
2014-04-16 CVE-2014-2404 Oracle Remote Security vulnerability in Oracle Access Manager

Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, and 11.1.2.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to WebGate.

4.0
2014-04-16 CVE-2014-0453 Oracle
Canonical
Debian
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security.
4.0
2014-04-16 CVE-2014-0384 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML.

4.0
2014-04-14 CVE-2010-5298 Openssl Race Condition vulnerability in Openssl

Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.

4.0

27 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-04-19 CVE-2013-6219 HP Local Unauthorized Access vulnerability in HP Hp-Ux Whitelisting A.01.02

Unspecified vulnerability in HP HP-UX Whitelisting (aka WLI) before A.01.02.02 on HP-UX B.11.31 allows local users to bypass intended access restrictions via unknown vectors.

3.8
2014-04-16 CVE-2014-2459 Oracle Local Security vulnerability in Oracle Transportation Management

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.3.2 and 6.3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Security.

3.7
2014-04-16 CVE-2011-4406 Canonical Permissions, Privileges, and Access Controls vulnerability in Canonical Accountsservice and Ubuntu Linux

The Ubuntu AccountsService package before 0.6.14-1git1ubuntu1.1 does not properly drop privileges when changing language settings, which allows local users to modify arbitrary files via unspecified vectors.

3.6
2014-04-18 CVE-2014-2289 Digium Improper Input Validation vulnerability in Digium Asterisk 12.0.0/12.1.0

res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 allows remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept headers, which triggers an invalid pointer dereference.

3.5
2014-04-18 CVE-2014-2287 Digium
Fedoraproject
Improper Input Validation vulnerability in multiple products

channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.

3.5
2014-04-18 CVE-2014-2844 F Secure Cross-Site Scripting vulnerability in F-Secure Secure Messaging Secure Gateway 7.5.0

Cross-site scripting (XSS) vulnerability in F-Secure Messaging Secure Gateway 7.5.0 before Patch 1862 allows remote authenticated administrators to inject arbitrary web script or HTML via the new parameter in the SysUser module to admin.

3.5
2014-04-16 CVE-2014-2467 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3

Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2014-2445.

3.5
2014-04-16 CVE-2014-2464 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3

Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.

3.5
2014-04-16 CVE-2014-2451 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Privileges.

3.5
2014-04-16 CVE-2014-2445 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3

Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2014-2467.

3.5
2014-04-16 CVE-2014-2438 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication.

3.5
2014-04-16 CVE-2014-2430 Oracle Remote Security vulnerability in Oracle Mysql and Solaris

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.

3.5
2014-04-16 CVE-2014-2398 Oracle Unspecified vulnerability in Oracle products

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and JRockit R27.8.1 and R28.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Javadoc.

3.5
2014-04-16 CVE-2014-0465 Oracle Remote Security vulnerability in Oracle Fusion Middleware 8.0

Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via unknown vectors related to Admin Console.

3.5
2014-04-15 CVE-2014-0348 Ontariosystems Improper Authentication vulnerability in Ontariosystems products

The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding username on a Windows client machine.

3.5
2014-04-15 CVE-2014-0341 Pivotx Cross-Site Scripting vulnerability in Pivotx

Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to objects.php; or the (5) email or (6) nickname field to pages.php, related to templates_internal/users.tpl.

3.5
2014-04-16 CVE-2014-2432 Oracle Remote Security vulnerability in Oracle Mysql and Solaris

Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated.

2.8
2014-04-16 CVE-2014-2431 Oracle Remote Security vulnerability in Oracle Mysql and Solaris

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options.

2.6
2014-04-16 CVE-2014-2420 IBM
HP
Oracle
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Deployment.
2.6
2014-04-18 CVE-2012-6646 F Secure Local Security Bypass vulnerability in F-Secure Anti-Virus, PSB Workstation Security and Safe Anywhere

F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

2.1
2014-04-17 CVE-2014-1933 Python
Pythonware
Permissions, Privileges, and Access Controls vulnerability in multiple products

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

2.1
2014-04-17 CVE-2014-0085 Redhat Credentials Management vulnerability in Redhat Jboss A-Mq and Jboss Fuse

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper.

2.1
2014-04-16 CVE-2013-1764 Packagekit Project Permissions, Privileges, and Access Controls vulnerability in Packagekit Project Packagekit

The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method.

2.1
2014-04-16 CVE-2011-0993 Novell Permissions, Privileges, and Access Controls vulnerability in Novell Suse Lifecycle Management Server 1.0

SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

2.1
2014-04-16 CVE-2014-2466 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3

Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.

2.1
2014-04-15 CVE-2014-2690 Citrix Permissions, Privileges, and Access Controls vulnerability in Citrix Vdi-In-A-Box

Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows local users to obtain administrator credentials by reading the log.

2.1
2014-04-17 CVE-2011-3154 Canonical Link Following vulnerability in Canonical Ubuntu Linux and Update-Manager

DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file content for a user via a symlink attack on the temporary file.

1.9