Weekly Vulnerabilities Reports > April 28 to May 4, 2014

Overview

133 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 33 high severity vulnerabilities. This weekly summary report vulnerabilities in 123 products from 65 vendors including Cisco, Canonical, Fedoraproject, Mozilla, and Opensuse. Vulnerabilities are notably categorized as "Improper Input Validation", "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Information Exposure", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 116 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 26 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 105 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 25 reported vulnerabilities.
  • Opensuse has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

16 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-05-02 CVE-2014-2171 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

Heap-based buffer overflow in Cisco TelePresence TC Software 4.x through 6.x before 6.0.1 and TE Software 4.x and 6.0.x before 6.0.2 allows remote attackers to execute arbitrary code via crafted SIP packets, aka Bug ID CSCud81796.

10.0
2014-05-01 CVE-2014-2882 Citrix Unspecified vulnerability in Citrix products

Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 9.3-66.5 and 10.x before 10.1-122.17 has unspecified impact and vectors, related to certificate validation.

10.0
2014-05-01 CVE-2014-2881 Citrix Security vulnerability in Citrix NetScaler

Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 9.3-66.5 and 10.x before 10.1-122.17 has unknown impact and vectors.

10.0
2014-04-30 CVE-2014-1528 Canonical
Opensuse
Opensuse Project
Oracle
Mozilla
Microsoft
Fedoraproject
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The sse2_composite_src_x888_8888 function in Pixman, as used in Cairo in Mozilla Firefox 28.0 and SeaMonkey 2.25 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) by painting on a CANVAS element.

10.0
2014-04-29 CVE-2014-0515 Adobe
Linux
Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.

10.0
2014-04-28 CVE-2014-3008 Unitrends OS Command Injection vulnerability in Unitrends Enterprise Backup 7.3.0

Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the comm parameter to recoveryconsole/bpl/snmpd.php.

10.0
2014-04-30 CVE-2014-1531 Mozilla
Canonical
Debian
Redhat
Fedoraproject
Opensuse
Suse
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsGenericHTMLElement::GetWidthHeightForImage function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving an imgLoader object that is not properly handled during an image-resize operation.

9.3
2014-04-30 CVE-2014-1529 Mozilla
Canonical
Debian
Redhat
Fedoraproject
Opensuse
Suse
Improper Privilege Management vulnerability in multiple products

The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted.

9.3
2014-04-30 CVE-2014-1525 Mozilla
Canonical
Opensuse
Fedoraproject
USE After Free vulnerability in multiple products

The mozilla::dom::TextTrack::AddCue function in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 does not properly perform garbage collection for Text Track Manager variables, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and heap memory corruption) via a crafted VIDEO element in an HTML document.

9.3
2014-04-30 CVE-2014-1522 Fedoraproject
Canonical
Opensuse
Mozilla
Out-Of-Bounds Read vulnerability in multiple products

The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the Web Audio subsystem in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read, memory corruption, and application crash) via crafted content.

9.3
2014-04-30 CVE-2014-1519 Mozilla
Canonical
Opensuse
Fedoraproject
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
9.3
2014-04-30 CVE-2014-1518 Mozilla
Fedoraproject
Canonical
Debian
Redhat
Opensuse
Suse
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
9.3
2014-05-02 CVE-2014-2170 Cisco Code Injection vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

Cisco TelePresence TC Software 4.x and 5.x before 5.1.7 and 6.x before 6.0.1 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to tshell (aka tcsh) scripts, aka Bug ID CSCue60202.

9.0
2014-05-02 CVE-2014-2169 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

Cisco TelePresence TC Software 4.x through 6.x before 6.2.0 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to internal system scripts, aka Bug ID CSCue60211.

9.0
2014-04-30 CVE-2013-6990 Fortinet Permissions, Privileges, and Access Controls vulnerability in Fortinet Fortiauthenticator

FortiGuard FortiAuthenticator before 3.0 allows remote administrators to gain privileges via the command line interface.

9.0
2014-04-28 CVE-2014-0187 Openstack
Canonical
Opensuse
Permissions, Privileges, and Access Controls vulnerability in multiple products

The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authenticated users to bypass security group restrictions via an invalid CIDR in a security group rule, which prevents further rules from being applied.

9.0

33 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-05-02 CVE-2014-3000 Freebsd Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Freebsd

The TCP reassembly function in the inet module in FreeBSD 8.3 before p16, 8.4 before p9, 9.1 before p12, 9.2 before p5, and 10.0 before p2 allows remote attackers to cause a denial of service (undefined memory access and system crash) or possibly read system memory via multiple crafted packets, related to moving a reassemble queue entry to the segment list when the queue is full.

7.8
2014-05-02 CVE-2014-2175 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 allow remote attackers to cause a denial of service (memory consumption) via crafted H.225 packets, aka Bug ID CSCtq78849.

7.8
2014-05-02 CVE-2014-2167 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCua86589.

7.8
2014-05-02 CVE-2014-2166 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

The SIP implementation in Cisco TelePresence TC Software 4.x and TE Software 4.x allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCto70562.

7.8
2014-05-02 CVE-2014-2165 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCtq72699.

7.8
2014-05-02 CVE-2014-2164 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCuj94651.

7.8
2014-05-02 CVE-2014-2163 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCua64961.

7.8
2014-05-02 CVE-2014-2162 Cisco Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCud29566.

7.8
2014-05-02 CVE-2014-2161 Cisco Improper Input Validation vulnerability in Cisco products

The H.225 subsystem in Cisco TelePresence System MXP Series Software before F9.3.1 allows remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCty45731.

7.8
2014-05-02 CVE-2014-2160 Cisco Improper Input Validation vulnerability in Cisco products

The H.225 subsystem in Cisco TelePresence System MXP Series Software before F9.3.1 allows remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCty45745.

7.8
2014-05-02 CVE-2014-2159 Cisco Improper Input Validation vulnerability in Cisco products

The H.225 subsystem in Cisco TelePresence System MXP Series Software before F9.3.1 allows remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCtq78722.

7.8
2014-05-02 CVE-2014-2158 Cisco Improper Input Validation vulnerability in Cisco products

Cisco TelePresence System MXP Series Software before F9.3.1 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCty45720.

7.8
2014-05-02 CVE-2014-2168 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

Buffer overflow in Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to execute arbitrary code via crafted DNS response packets, aka Bug ID CSCty44804.

7.6
2014-05-02 CVE-2014-2322 Dynamixsolutions Unspecified vulnerability in Dynamixsolutions Arabic Prawn 0.0.1

lib/string_utf_support.rb in the Arabic Prawn 0.0.1 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) downloaded_file or (2) url variable.

7.5
2014-05-02 CVE-2014-3139 Unitrends Improper Authentication vulnerability in Unitrends Enterprise Backup 7.3.0

recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string.

7.5
2014-04-30 CVE-2014-1532 Mozilla
Fedoraproject
Canonical
Debian
Redhat
Opensuse
Suse
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsHostResolver::ConditionallyRefreshRecord function in libxul.so in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to host resolution.

7.5
2014-04-30 CVE-2014-1524 Mozilla
Canonical
Debian
Redhat
Opensuse
Suse
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

The nsXBLProtoImpl::InstallImplementation function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 does not properly check whether objects are XBL objects, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted JavaScript code that accesses a non-XBL object as if it were an XBL object.

7.5
2014-04-30 CVE-2014-0114 Apache Improper Input Validation vulnerability in Apache Commons Beanutils and Struts

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

7.5
2014-04-29 CVE-2013-7373 Google Information Exposure vulnerability in Google Android

Android before 4.4 does not properly arrange for seeding of the OpenSSL PRNG, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging use of the PRNG within multiple applications.

7.5
2014-04-29 CVE-2014-0088 Nginx Buffer Errors vulnerability in Nginx 1.5.10

The SPDY implementation in the ngx_http_spdy_module module in nginx 1.5.10 before 1.5.11, when running on a 32-bit platform, allows remote attackers to execute arbitrary code via a crafted request.

7.5
2014-04-29 CVE-2013-7236 Simplemachines Improper Input Validation vulnerability in Simplemachines Simple Machines Forum

Simple Machines Forum (SMF) 2.0.6, 1.1.19, and earlier allows remote attackers to impersonate arbitrary users via a Unicode homoglyph character in a username.

7.5
2014-04-29 CVE-2013-7235 Simplemachines Improper Input Validation vulnerability in Simplemachines Simple Machines Forum

Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows remote attackers to impersonate arbitrary users via multiple space characters characters.

7.5
2014-04-29 CVE-2013-7134 Phusion Credentials Management vulnerability in Phusion Juvia

Juvia uses the same secret key for all installations, which allows remote attackers to have unspecified impact by leveraging the secret key in app/config/initializers/secret_token.rb, related to cookies.

7.5
2014-04-29 CVE-2014-0113 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Struts

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request.

7.5
2014-04-29 CVE-2014-0112 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Struts

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request.

7.5
2014-04-28 CVE-2014-2846 Westerndigital Path Traversal vulnerability in Westerndigital Arkeia Virtual Appliance Firmware 10.2.7

Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote attackers to read arbitrary files and execute arbitrary PHP code via a ..././ (dot dot dot slash dot slash) in the lang Cookie parameter, as demonstrated by a request to login/doLogin.

7.5
2014-04-28 CVE-2014-2657 Papercut Security vulnerability in Papercut MF 14.1

Unspecified vulnerability in the print release functionality in PaperCut MF before 14.1 (Build 26983) has unknown impact and remote vectors, related to embedded MFPs.

7.5
2014-04-28 CVE-2014-2042 Livetecs Arbitrary File Upload vulnerability in Livetecs Timelive

Unrestricted file upload vulnerability in the Manage Project functionality in Livetecs Timelive before 6.5.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in a predictable directory in Uploads/.

7.5
2014-04-28 CVE-2014-1217 Livetecs Permissions, Privileges, and Access Controls vulnerability in Livetecs Timeline

Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and credentials via unspecified vectors.

7.5
2014-05-02 CVE-2014-2173 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 do not properly restrict access to the serial port, which allows local users to gain privileges via unspecified commands, aka Bug ID CSCub67692.

7.2
2014-04-30 CVE-2014-0470 Super Project Permissions, Privileges, and Access Controls vulnerability in Super Project Super 3.30.0

super.c in Super 3.30.0 does not check the return value of the setuid function when the -F flag is set, which allows local users to gain privileges via unspecified vectors, aka an RLIMIT_NPROC attack.

7.2
2014-05-02 CVE-2014-2157 Cisco Improper Input Validation vulnerability in Cisco products

Cisco TelePresence System MXP Series Software before F9.3.1 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCty45733.

7.1
2014-05-02 CVE-2014-2156 Cisco Improper Input Validation vulnerability in Cisco products

Cisco TelePresence System MXP Series Software before F9.3.1 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCty45739.

7.1

75 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-05-02 CVE-2014-2905 Fishshell Permissions, Privileges, and Access Controls vulnerability in Fishshell Fish 1.16.0/2.0.0

fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the credentials, which allows local users to gain privileges via the universal variable socket, related to /tmp/fishd.socket.user permissions.

6.9
2014-05-01 CVE-2014-0646 EMC Cryptographic Issues vulnerability in EMC RSA Access Manager 6.1/6.2

The runtime WS component in the server in EMC RSA Access Manager 6.1.3 before 6.1.3.39, 6.1.4 before 6.1.4.22, 6.2.0 before 6.2.0.11, and 6.2.1 before 6.2.1.03, when INFO logging is enabled, allows local users to discover cleartext passwords by reading log files.

6.9
2014-04-30 CVE-2014-1520 Mozilla
Fedoraproject
Improper Privilege Management vulnerability in multiple products

maintenservice_installer.exe in the Maintenance Service Installer in Mozilla Firefox before 29.0 and Firefox ESR 24.x before 24.5 on Windows allows local users to gain privileges by placing a Trojan horse DLL file into a temporary directory at an unspecified point in the update process.

6.9
2014-05-02 CVE-2014-3006 Sitepark Permissions, Privileges, and Access Controls vulnerability in Sitepark Information Enterprise Server 2.9

Sitepark Information Enterprise Server (IES) 2.9 before 2.9.6, when upgraded from an earlier version, does not properly restrict access, which allows remote attackers to change the manager account password and obtain sensitive information via a request to install/.

6.8
2014-04-30 CVE-2014-2186 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Webex Meetings Server

Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj81777.

6.8
2014-04-30 CVE-2014-1526 Mozilla
Canonical
Opensuse
Fedoraproject
Improper Privilege Management vulnerability in multiple products

The XrayWrapper implementation in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site that is visited in the debugger, leading to unwrapping operations and calls to DOM methods on the unwrapped objects.

6.8
2014-04-29 CVE-2013-7302 Ubercart
Drupal
Improper Authentication vulnerability in Ubercart

Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID.

6.8
2014-04-29 CVE-2013-7284 Malcolm Nooning Code Injection vulnerability in Malcolm Nooning Pirpc

The PlRPC module, possibly 0.2020 and earlier, for Perl uses the Storable module, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized.

6.8
2014-04-29 CVE-2013-7259 Neo4J Cross-Site Request Forgery (CSRF) vulnerability in Neo4J 1.9.2

Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrated by a request to (1) db/data/ext/GremlinPlugin/graphdb/execute_script or (2) db/manage/server/console/.

6.8
2014-05-02 CVE-2014-2172 Cisco Buffer Errors vulnerability in Cisco Telepresence TC Software and Telepresence TE Software

Buffer overflow in Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 allows local users to gain privileges by leveraging improper handling of the u-boot compiler flag for internal executable files, aka Bug ID CSCub67693.

6.6
2014-05-02 CVE-2014-3138 Xerox SQL Injection vulnerability in Xerox Docushare 6.5.3/6.6.1

SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/.

6.5
2014-04-30 CVE-2013-1806 PHP Fusion Path Traversal vulnerability in PHP-Fusion

Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a ..

6.5
2014-04-30 CVE-2014-2565 Bluecoat OS Command Injection vulnerability in Bluecoat products

The commandline interface in Blue Coat Content Analysis System (CAS) 1.1 before 1.1.4.2 allows remote administrators to execute arbitrary commands via unspecified vectors, related to "command injection."

6.5
2014-04-30 CVE-2014-1957 Fortinet Permissions, Privileges, and Access Controls vulnerability in Fortinet Fortiweb

FortiGuard FortiWeb before 5.0.3 allows remote authenticated users to gain privileges via unspecified vectors.

6.5
2014-04-29 CVE-2014-2183 Cisco Improper Input Validation vulnerability in Cisco products

The L2TP module in Cisco IOS XE 3.10S(.2) and earlier on ASR 1000 routers allows remote authenticated users to cause a denial of service (ESP card reload) via a malformed L2TP packet, aka Bug ID CSCun09973.

6.3
2014-05-02 CVE-2014-3125 XEN Permissions, Privileges, and Access Controls vulnerability in XEN 4.4.0

Xen 4.4.x, when running on an ARM system, does not properly context switch the CNTKCTL_EL1 register, which allows local guest users to modify the hardware timers and cause a denial of service (crash) via unspecified vectors.

6.2
2014-04-29 CVE-2014-2182 Cisco Improper Input Validation vulnerability in Cisco Adaptive Security Appliance Software

Cisco Adaptive Security Appliance (ASA) Software, when DHCPv6 replay is configured, allows remote attackers to cause a denial of service (device reload) via a crafted DHCPv6 packet, aka Bug ID CSCun45520.

6.1
2014-05-02 CVE-2014-1989 Cybozu Permissions, Privileges, and Access Controls vulnerability in Cybozu Garoon

Cybozu Garoon 3.0 through 3.7 SP3 allows remote authenticated users to bypass intended access restrictions and delete schedule information via unspecified API calls.

6.0
2014-05-02 CVE-2014-3001 Freebsd Permissions, Privileges, and Access Controls vulnerability in Freebsd 10.0

The device file system (aka devfs) in FreeBSD 10.0 before p2 does not load default rulesets when booting, which allows context-dependent attackers to bypass intended restrictions by leveraging a jailed device node process.

5.8
2014-04-30 CVE-2014-0363 Igniterealtime Improper Certificate Validation vulnerability in Igniterealtime Smack

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.

5.8
2014-04-29 CVE-2013-7065 Organic Groups Project Permissions, Privileges, and Access Controls vulnerability in Organic Groups Project Organic Groups

The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote attackers to bypass access restrictions and post to arbitrary groups via a group audience field, as demonstrated by the og_group_ref field.

5.8
2014-05-02 CVE-2013-7061 Plone Permissions, Privileges, and Access Controls vulnerability in Plone

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API.

5.5
2014-04-28 CVE-2014-2986 XEN Improper Input Validation vulnerability in XEN 4.4.0

The vgic_distr_mmio_write function in the virtual guest interrupt controller (GIC) distributor (arch/arm/vgic.c) in Xen 4.4.x, when running on an ARM system, allows local guest users to cause a denial of service (NULL pointer dereference and host crash) via unspecified vectors.

5.5
2014-05-02 CVE-2013-7060 Plone Information Exposure vulnerability in Plone

Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows remote attackers to obtain the installation path via vectors related to a file object for unspecified documentation which is initialized in class scope.

5.0
2014-05-01 CVE-2014-0859 IBM Denial of Service vulnerability in IBM WebSphere Application Server

The web-server plugin in IBM WebSphere Application Server (WAS) 7.x before 7.0.0.33, 8.x before 8.0.0.9, and 8.5.x before 8.5.5.2, when POST retries are enabled, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors.

5.0
2014-05-01 CVE-2014-0786 Ecava Cryptographic Issues vulnerability in Ecava Integraxor

Ecava IntegraXor before 4.1.4393 allows remote attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role.

5.0
2014-04-30 CVE-2013-1807 PHP Fusion Permissions, Privileges, and Access Controls vulnerability in PHP-Fusion

PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/.

5.0
2014-04-30 CVE-2014-3133 SAP Permissions, Privileges, and Access Controls vulnerability in SAP Netweaver Java Application Server

SAP Netweaver Java Application Server does not properly restrict access, which allows remote attackers to obtain the list of SAP systems registered on an SLD via an unspecified webdynpro, related to SystemSelection.

5.0
2014-04-30 CVE-2014-3129 SAP Information Exposure vulnerability in SAP Netweaver Software Lifecycle Manager 7.1

The Java Server Pages in the Software Lifecycle Manager (SLM) in SAP NetWeaver allows remote attackers to obtain sensitive information via a crafted request, related to SAP Solution Manager 7.1.

5.0
2014-04-30 CVE-2014-1956 Fortinet Unspecified vulnerability in Fortinet Fortiweb

CRLF injection vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

5.0
2014-04-30 CVE-2014-0471 Debian
Canonical
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting."

5.0
2014-04-30 CVE-2013-6445 Redhat Cryptographic Issues vulnerability in Redhat Enterprise MRG 2.5

Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, uses the DES-based crypt function to hash passwords, which makes it easier for attackers to obtain sensitive information via a brute-force attack.

5.0
2014-04-30 CVE-2014-2545 Tibco Information Exposure vulnerability in Tibco products

TIBCO Managed File Transfer Internet Server before 7.2.2, Managed File Transfer Command Center before 7.2.2, Slingshot before 1.9.1, and Vault before 1.0.1 allow remote attackers to obtain sensitive information via a crafted HTTP request.

5.0
2014-04-30 CVE-2014-1527 Fedoraproject
Mozilla
Google
Oracle
Security vulnerability in Mozilla Firefox for Android

Mozilla Firefox before 29.0 on Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses DOM events to prevent the reemergence of the actual address bar after scrolling has taken it off of the screen.

5.0
2014-04-30 CVE-2014-0364 Igniterealtime Insufficient Verification of Data Authenticity vulnerability in Igniterealtime Smack

The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute.

5.0
2014-04-29 CVE-2013-7372 Apache
Google
Cryptographic Issues vulnerability in multiple products

The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.

5.0
2014-04-29 CVE-2013-7111 Basespace Ruby SDK Project Information Exposure vulnerability in Basespace Ruby SDK Project Basespace Ruby SDK 0.1.7

The put_call function in the API client (api/api_client.rb) in the BaseSpace Ruby SDK (aka bio-basespace-sdk) gem 0.1.7 for Ruby uses the API_KEY on the command line, which allows remote attackers to obtain sensitive information by listing the processes.

5.0
2014-04-29 CVE-2013-7063 Invitation Project Permissions, Privileges, and Access Controls vulnerability in Invitation Project Invitation 7.X2.0/7.X2.1

The Invitation module 7.x-2.x for Drupal does not properly check permissions, which allows remote attackers to obtain sensitive information via unspecified default views.

5.0
2014-04-29 CVE-2014-2184 Cisco Improper Input Validation vulnerability in Cisco Unified Communications Manager

The IP Manager Assistant (IPMA) component in Cisco Unified Communications Manager (Unified CM) allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCun74352.

5.0
2014-04-29 CVE-2014-1843 Southrivertech Path Traversal vulnerability in Southrivertech Titan FTP Server

Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to obtain the property information of an arbitrary home folder via a Properties action with a ..

5.0
2014-04-29 CVE-2014-1842 Southrivertech Path Traversal vulnerability in Southrivertech Titan FTP Server

Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to list all usernames via a Go action with a ..

5.0
2014-04-29 CVE-2014-1841 Southrivertech Path Traversal vulnerability in Southrivertech Titan FTP Server

Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to copy an arbitrary user's home folder via a Move action with a ..

5.0
2014-04-28 CVE-2014-2658 Papercut Denial of Service vulnerability in PaperCut MF And PaperCut NG

Unspecified vulnerability in Papercut MF and NG before 14.1 (Build 26983) allows attacker to cause a denial of service via unknown vectors.

5.0
2014-04-28 CVE-2014-0079 Zarafa Improper Input Validation vulnerability in Zarafa

The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 7.1.8, 6.20.0, and earlier, when using certain build conditions, allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the password."

5.0
2014-04-28 CVE-2014-0037 Zarafa Improper Input Validation vulnerability in Zarafa

The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 5.00 before 7.1.8 beta2 allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the username."

5.0
2014-04-29 CVE-2013-7068 Organic Groups Project Permissions, Privileges, and Access Controls vulnerability in Organic Groups Project Organic Groups

The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users to bypass group restrictions on nodes with all groups set to optional input via an empty group field.

4.9
2014-05-01 CVE-2013-7374 Canonical Permissions, Privileges, and Access Controls vulnerability in Canonical Ubuntu Linux 13.10

The Ubuntu Date and Time Indicator (aka indicator-datetime) 13.10.0+13.10.x before 13.10.0+13.10.20131023.2-0ubuntu1.1 does not properly restrict access to Evolution, which allows local users to bypass the greeter screen restrictions by clicking the date.

4.6
2014-04-30 CVE-2014-3130 SAP Permissions, Privileges, and Access Controls vulnerability in SAP Netweaver Abap Application Server

The ABAP Help documentation and translation tools (BC-DOC-HLP) in Basis in SAP Netweaver ABAP Application Server does not properly restrict access, which allows local users to gain privileges and execute ABAP instructions via crafted help messages.

4.6
2014-04-29 CVE-2013-7221 Gnome Permissions, Privileges, and Access Controls vulnerability in Gnome Gnome-Shell

The automatic screen lock functionality in GNOME Shell (aka gnome-shell) before 3.10 does not prevent access to the "Enter a Command" dialog, which allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation.

4.6
2014-04-29 CVE-2013-7220 Gnome Unspecified vulnerability in Gnome Gnome-Shell

js/ui/screenShield.js in GNOME Shell (aka gnome-shell) before 3.8 allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation with the keyboard focus on the Activities search.

4.6
2014-05-02 CVE-2014-1899 Citrix Cross-Site Scripting vulnerability in Citrix products

Cross-site scripting (XSS) vulnerability in Citrix NetScaler Gateway (formerly Citrix Access Gateway Enterprise Edition) 9.x before 9.3.66.5 and 10.x before 10.1.123.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-05-02 CVE-2014-1441 Coreftp Race Condition vulnerability in Coreftp Core FTP 1.2

Core FTP Server 1.2 before build 515 allows remote attackers to cause a denial of service (reachable assertion and crash) via an AUTH SSL command with malformed data, as demonstrated by pressing the enter key twice.

4.3
2014-05-02 CVE-2013-7110 Transifex Improper Input Validation vulnerability in Transifex

Transifex command-line client before 0.10 does not validate X.509 certificates for data transfer connections, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate.

4.3
2014-05-02 CVE-2013-2073 Transifex Improper Input Validation vulnerability in Transifex

Transifex command-line client before 0.9 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate.

4.3
2014-05-01 CVE-2014-0896 IBM Information Exposure vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.2 allows remote attackers to obtain sensitive information via a crafted request.

4.3
2014-05-01 CVE-2014-0823 IBM Information Exposure vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server (WAS) 8.x before 8.0.0.9 and 8.5.x before 8.5.5.2 allows remote attackers to read arbitrary files via a crafted URL.

4.3
2014-04-30 CVE-2014-3135 Vbulletin Cross-Site Scripting vulnerability in Vbulletin 5.1.1

Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment indicator to /help, or (4) the view parameter to a topic, as demonstrated by a request to forum/anunturi-importante/rst-power/67030-rst-admin-restore.

4.3
2014-04-30 CVE-2014-3134 SAP Cross-Site Scripting vulnerability in SAP Businessobjects

Cross-site scripting (XSS) vulnerability in the InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-04-30 CVE-2014-1955 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortiweb

Cross-site scripting (XSS) vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-04-30 CVE-2014-1530 Mozilla
Fedoraproject
Canonical
Debian
Redhat
Opensuse
Suse
Cross-Site Scripting vulnerability in multiple products

The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation.

4.3
2014-04-30 CVE-2014-1523 Mozilla
Fedoraproject
Debian
Canonical
Redhat
Opensuse
Suse
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the read_u32 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG image.

4.3
2014-04-29 CVE-2013-1804 PHP Fusion Cross-Site Scripting vulnerability in PHP-Fusion

Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php.

4.3
2014-04-29 CVE-2014-2853 Mediawiki Cross-Site Scripting vulnerability in Mediawiki

Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.

4.3
2014-04-29 CVE-2013-7234 Simplemachines Improper Input Validation vulnerability in Simplemachines Simple Machines Forum

Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows remote attackers to conduct clickjacking attacks via an X-Frame-Options header.

4.3
2014-04-29 CVE-2013-7066 Entity Reference Project Permissions, Privileges, and Access Controls vulnerability in Entity Reference Project Entityreference 7.X1.0/7.X1.X

The Entity reference module 7.x-1.x before 7.x-1.1-rc1 for Drupal allows remote attackers to read private nodes titles by leveraging edit permissions to a node that references a private node.

4.3
2014-04-28 CVE-2014-2980 Gnustep Improper Input Validation vulnerability in Gnustep Base 1.24.6

Tools/gdomap.c in gdomap in GNUstep Base 1.24.6 and earlier, when run in daemon mode, does not properly handle the file descriptor for the logger, which allows remote attackers to cause a denial of service (abort) via an invalid request.

4.3
2014-04-28 CVE-2014-2715 Videowhisper Cross-Site Scripting vulnerability in Videowhisper

Multiple cross-site scripting (XSS) vulnerabilities in vwrooms\templates\logout.tpl.php in the VideoWhisper Webcam plugins for Drupal 7.x allow remote attackers to inject arbitrary web script or HTML via the (1) module or (2) message parameter to index.php.

4.3
2014-04-28 CVE-2014-2383 Dompdf Information Exposure vulnerability in Dompdf

dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.

4.3
2014-05-02 CVE-2014-1443 Coreftp Buffer Errors vulnerability in Coreftp Core FTP 1.2

Core FTP Server 1.2 before build 515 allows remote authenticated users to obtain sensitive information (password for the previous user) via a USER command with a specific length, possibly related to an out-of-bounds read.

4.0
2014-05-02 CVE-2014-1442 Coreftp Path Traversal vulnerability in Coreftp Core FTP 1.2

Directory traversal vulnerability in Core FTP Server 1.2 before build 515 allows remote authenticated users to determine the existence of arbitrary files via a /../ sequence in an XCRC command.

4.0
2014-05-01 CVE-2014-0857 IBM Information Exposure vulnerability in IBM Websphere Application Server

The Administrative Console in IBM WebSphere Application Server (WAS) 8.x before 8.0.0.9 and 8.5.x before 8.5.5.2 allows remote authenticated users to obtain sensitive information via a crafted request.

4.0
2014-04-30 CVE-2014-3132 SAP Permissions, Privileges, and Access Controls vulnerability in SAP Background Processing

SAP Background Processing does not properly restrict access, which allows remote authenticated users to obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1.

4.0
2014-04-30 CVE-2014-3131 SAP Permissions, Privileges, and Access Controls vulnerability in SAP Profile Maintenance

SAP Profile Maintenance does not properly restrict access, which allows remote authenticated users to obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1.

4.0
2014-04-29 CVE-2014-2185 Cisco Information Exposure vulnerability in Cisco Unified Communications Manager

The Call Detail Records (CDR) Management component in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to obtain sensitive information by reading extraneous fields in an HTML document, aka Bug ID CSCun74374.

4.0
2014-04-29 CVE-2014-2180 Cisco Improper Input Validation vulnerability in Cisco products

The Document Management component in Cisco Unified Contact Center Express does not properly validate a parameter, which allows remote authenticated users to upload files to arbitrary pathnames via a crafted HTTP request, aka Bug ID CSCun74133.

4.0

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-05-02 CVE-2014-1988 Cybozu Denial of Service vulnerability in Cybozu Garoon

The Phone Messages feature in Cybozu Garoon 2.0.0 through 3.7 SP2 allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors.

3.5
2014-05-01 CVE-2014-0942 IBM Cross-Site Scripting vulnerability in IBM Tivoli Netcool/Omnibus 7.4.0

Cross-site scripting (XSS) vulnerability in webtop/eventviewer/eventViewer.jsp in the Web GUI in IBM Netcool/OMNIbus 7.4.0 before FP2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-0941.

3.5
2014-05-01 CVE-2014-0941 IBM Cross-Site Scripting vulnerability in IBM Tivoli Netcool/Omnibus 7.4.0

Cross-site scripting (XSS) vulnerability in webtop/eventviewer/eventViewer.jsp in the Web GUI in IBM Netcool/OMNIbus 7.4.0 before FP2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-0942.

3.5
2014-05-01 CVE-2013-6323 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 7.x before 7.0.0.33, 8.x before 8.0.0.9, and 8.5.x before 8.5.5.2, and WebSphere Virtual Enterprise 7.x before 7.0.0.5, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2014-04-30 CVE-2014-2260 Ajenti Cross-Site Scripting vulnerability in Ajenti 1.2.13

Cross-site scripting (XSS) vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality.

3.5
2014-05-02 CVE-2014-0189 Redhat
Virt WHO Project
Cryptographic Issues vulnerability in multiple products

virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file.

2.1
2014-04-29 CVE-2013-7273 Gnome Unspecified vulnerability in Gnome Display Manager

GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name.

2.1
2014-04-29 CVE-2013-7064 Freelance IT Consultant Cross-Site Scripting vulnerability in Freelance-It-Consultant EU Cookie Compliance

Cross-site scripting (XSS) vulnerability in the EU Cookie Compliance module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated administrators with the "Administer EU Cookie Compliance popup" permission to inject arbitrary web script or HTML via unspecified configuration values.

2.1
2014-04-28 CVE-2013-4285 Dkorunic Credentials Management vulnerability in Dkorunic PAM S/Key

A certain Gentoo patch for the PAM S/Key module does not properly clear credentials from memory, which allows local users to obtain sensitive information by reading system memory.

2.1