Weekly Vulnerabilities Reports > June 23 to 29, 2014
Overview
28 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 1 high severity vulnerabilities. This weekly summary report vulnerabilities in 20 products from 17 vendors including IBM, Linux, HP, Microsoft, and Canonical. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Cross-Site Request Forgery (CSRF)", "Information Exposure", and "Improper Input Validation".
- 23 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 10 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 16 reported vulnerabilities are exploitable by an anonymous user.
- IBM has the most reported vulnerabilities, with 7 reported vulnerabilities.
- Linux has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
2 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-06-28 | CVE-2014-4648 | Piwigo | Security vulnerability in Piwigo Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure." | 10.0 |
2014-06-28 | CVE-2014-2613 | HP Microsoft Linux | Privilege Escalation vulnerability in HP Release Control Unspecified vulnerability in HP Release Control 9.x before 9.13 p3 and 9.2x before RC 9.21.0003 p1 on Windows and 9.2x before RC 9.21.0002 p1 on Linux allows remote authenticated users to gain privileges via unknown vectors. | 9.0 |
1 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-06-25 | CVE-2014-4644 | Cacti | SQL Injection vulnerability in Cacti Superlinks 1.42 SQL injection vulnerability in superlinks.php in the superlinks plugin 1.4-2 for Cacti allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
20 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-06-25 | CVE-2014-2005 | Sophos | Improper Authentication vulnerability in Sophos Enterprise Console 5.1/5.2/5.2.1 Sophos Disk Encryption (SDE) 5.x in Sophos Enterprise Console (SEC) 5.x before 5.2.2 does not enforce intended authentication requirements for a resume action from sleep mode, which allows physically proximate attackers to obtain desktop access by leveraging the absence of a login screen. | 6.9 |
2014-06-28 | CVE-2014-3881 | Intercom | Cross-Site Request Forgery (CSRF) vulnerability in Intercom web Kyukincho 3.0 Cross-site request forgery (CSRF) vulnerability in Intercom Web Kyukincho 3.x before 3.0.030 allows remote attackers to hijack the authentication of arbitrary users. | 6.8 |
2014-06-25 | CVE-2014-4030 | Longtailvideo | Cross-Site Request Forgery (CSRF) vulnerability in Longtailvideo JW Player FOR Flash & Html5 Video Plugin Cross-site request forgery (CSRF) vulnerability in the JW Player plugin before 2.1.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that remove players via a delete action to wp-admin/admin.php. | 6.8 |
2014-06-25 | CVE-2014-3882 | 12Net | Cross-Site Request Forgery (CSRF) vulnerability in 12Net Login Rebuilder Cross-site request forgery (CSRF) vulnerability in the Login rebuilder plugin before 1.2.0 for WordPress allows remote attackers to hijack the authentication of arbitrary users. | 6.8 |
2014-06-25 | CVE-2014-3299 | Cisco | Improper Input Validation vulnerability in Cisco IOS Cisco IOS allows remote authenticated users to cause a denial of service (device reload) via malformed IPsec packets, aka Bug ID CSCui79745. | 6.8 |
2014-06-28 | CVE-2014-4649 | Piwigo | SQL Injection vulnerability in Piwigo SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field. | 6.5 |
2014-06-28 | CVE-2013-6311 | IBM | SQL Injection vulnerability in IBM Marketing Platform 9.1.0.0/9.1.0.1 SQL injection vulnerability in IBM Marketing Platform 9.1 before FP2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 6.5 |
2014-06-27 | CVE-2011-1381 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Openpages GRC Platform 6.1.0.1 Unspecified vulnerability in IBM OpenPages GRC Platform 6.1.0.1 before IF4 allows remote attackers to bypass intended access restrictions via unknown vectors. | 6.4 |
2014-06-28 | CVE-2013-6309 | IBM | Code Injection vulnerability in IBM Marketing Platform 9.1.0.0/9.1.0.1 IBM Marketing Platform 9.1 before FP2 allows remote authenticated users to hijack sessions, and consequently read records, modify records, or conduct transactions, via an unspecified link injection. | 6.0 |
2014-06-23 | CVE-2014-0203 | Linux Oracle | Use After Free vulnerability in multiple products The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call. | 5.5 |
2014-06-28 | CVE-2014-0891 | IBM | Information Exposure vulnerability in IBM Websphere Application Server IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.2 allows remote attackers to obtain sensitive information by leveraging incorrect request handling by the (1) Proxy or (2) ODR server. | 5.0 |
2014-06-27 | CVE-2014-3011 | IBM | Code Injection vulnerability in IBM Openpages GRC Platform 6.1.0.1 IBM OpenPages GRC Platform 6.1.0.1 before IF4 allows remote attackers to conduct link injection attacks via unspecified vectors. | 5.0 |
2014-06-25 | CVE-2014-4643 | Coreftp | Buffer Errors vulnerability in Coreftp Core FTP 2.2 Multiple heap-based buffer overflows in the client in Core FTP LE 2.2 build 1798 allow remote FTP servers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string in a reply to a (1) USER, (2) PASS, (3) PASV, (4) SYST, (5) PWD, or (6) CDUP command. | 5.0 |
2014-06-28 | CVE-2013-6308 | IBM | URI Redirection vulnerability in IBM Marketing Platform 9.1.0.0/9.1.0.1 IBM Marketing Platform 9.1 before FP2 allows remote authenticated users to conduct phishing attacks and capture login credentials via an unspecified injection. | 4.9 |
2014-06-23 | CVE-2014-4508 | Linux Canonical | Numeric Errors vulnerability in multiple products arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. | 4.7 |
2014-06-23 | CVE-2014-4171 | Linux Canonical | Local Denial of Service vulnerability in Linux Kernel mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. | 4.7 |
2014-06-28 | CVE-2014-2006 | Intercom | Cross-Site Scripting vulnerability in Intercom web Kyukincho 3.0 Cross-site scripting (XSS) vulnerability in Intercom Web Kyukincho 3.x before 3.0.030 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2014-06-27 | CVE-2014-3433 | Symantec | Cross-Site Scripting vulnerability in Symantec Data Insight 3.0/3.0.1/4.0 Cross-site scripting (XSS) vulnerability in the management console in Symantec Data Insight 3.x and 4.x before 4.5 allows remote attackers to inject arbitrary web script or HTML via an unspecified form field, related to an "HTML script injection" issue. | 4.3 |
2014-06-27 | CVE-2014-3432 | Symantec | Cross-Site Scripting vulnerability in Symantec Data Insight 3.0/3.0.1/4.0 Cross-site scripting (XSS) vulnerability in the management console in Symantec Data Insight 3.x and 4.x before 4.5 allows remote attackers to inject arbitrary web script or HTML via an unspecified form field. | 4.3 |
2014-06-28 | CVE-2014-2612 | HP Linux Microsoft | Information Disclosure vulnerability in HP Release Control Unspecified vulnerability in HP Release Control 9.x before 9.13 p3 and 9.2x before RC 9.21.0003 p1 on Windows and 9.2x before RC 9.21.0002 p1 on Linux allows remote authenticated users to obtain sensitive information via unknown vectors. | 4.0 |
5 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-06-28 | CVE-2014-4669 | HP | Information Exposure vulnerability in HP Enterprise Maps 1.00 HP Enterprise Maps 1.00 allows remote authenticated users to read arbitrary files via a WSDL document containing an XML external entity declaration in conjunction with an entity reference within a GetQuote operation, related to an XML External Entity (XXE) issue. | 3.5 |
2014-06-28 | CVE-2013-6310 | IBM | Cross-Site Scripting vulnerability in IBM Marketing Platform 9.1.0.0/9.1.0.1 Cross-site scripting (XSS) vulnerability in IBM Marketing Platform 9.1 before FP2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2014-06-25 | CVE-2014-4349 | Phpmyadmin | Cross-Site Scripting vulnerability in PHPmyadmin Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a (1) hide or (2) unhide action. | 3.5 |
2014-06-25 | CVE-2014-4348 | Phpmyadmin | Cross-Site Scripting vulnerability in PHPmyadmin Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables. | 3.5 |
2014-06-23 | CVE-2014-0244 | Samba | Improper Input Validation vulnerability in Samba The sys_recvfrom function in nmbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed UDP packet. | 3.3 |