Weekly Vulnerabilities Reports > July 14 to 20, 2014

Overview

186 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 135 products from 49 vendors including Oracle, Debian, Cisco, HP, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Information Exposure", "Improper Input Validation", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 160 reported vulnerabilities are remotely exploitables.
  • 12 reported vulnerabilities have public exploit available.
  • 32 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 126 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 92 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

16 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-07-20 CVE-2014-1987 Cybozu OS Command Injection vulnerability in Cybozu Garoon

The CGI component in Cybozu Garoon 3.1.0 through 3.7 SP3 allows remote attackers to execute arbitrary commands via unspecified vectors.

10.0
2014-07-18 CVE-2014-3306 Cisco Improper Input Validation vulnerability in Cisco products

The web server on Cisco DPC3010, DPC3212, DPC3825, DPC3925, DPQ3925, EPC3010, EPC3212, EPC3825, and EPC3925 Wireless Residential Gateway products allows remote attackers to execute arbitrary code via a crafted HTTP request, aka Bug ID CSCup40808.

10.0
2014-07-18 CVE-2014-2623 HP Remote Code Execution vulnerability in HP Storage Data Protector 8.0/8.10

Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors.

10.0
2014-07-17 CVE-2014-4227 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

10.0
2014-07-16 CVE-2013-5755 Yealink Credentials Management vulnerability in Yealink Sip-T38G

config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the admin account, and (3) var (jhl3iZAe./qXM) for the var account, which makes it easier for remote attackers to obtain access via unspecified vectors.

10.0
2014-07-15 CVE-2014-3418 Infoblox OS Command Injection vulnerability in Infoblox Netmri

config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the skipjackUsername parameter.

10.0
2014-07-14 CVE-2014-2955 Raritan Improper Authentication vulnerability in Raritan Dpxr20A-16 and PX

Raritan PX before 1.5.11 on DPXR20A-16 devices allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.

10.0
2014-07-14 CVE-2014-2951 Datumsystems Unspecified vulnerability in Datumsystems Snip

Datum Systems SnIP on PSM-500 and PSM-4500 devices has a hardcoded password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors.

10.0
2014-07-17 CVE-2014-4262 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

9.3
2014-07-17 CVE-2014-4247 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.

9.3
2014-07-17 CVE-2014-4223 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-2483.

9.3
2014-07-17 CVE-2014-4219 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

9.3
2014-07-17 CVE-2014-4216 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

9.3
2014-07-17 CVE-2014-2490 HP
Debian
Oracle
Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
9.3
2014-07-17 CVE-2014-2483 Debian
Redhat
Oracle
Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223.
9.3
2014-07-16 CVE-2014-2606 HP Privilege Escalation vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA

Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA 9.5 through 11.0 allows remote authenticated users to gain privileges via unknown vectors.

9.0

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-07-16 CVE-2014-2622 HP Information Disclosure vulnerability in HP products

Unspecified vulnerability in HP Intelligent Management Center (iMC) before 7.0 E02020P03 and Branch Intelligent Management System (BIMS) before 7.0 E0201P02 allows remote authenticated users to obtain sensitive information or modify data via unknown vectors, aka ZDI-CAN-2312.

8.5
2014-07-16 CVE-2014-4018 ZTE Credentials Management vulnerability in ZTE Zxv10 W300 and Zxv10 W300 Firmware

The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors.

7.8
2014-07-16 CVE-2014-2621 HP Information Disclosure vulnerability in HP products

Unspecified vulnerability in HP Intelligent Management Center (iMC) before 7.0 E02020P03 and Branch Intelligent Management System (BIMS) before 7.0 E0201P02 allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-2090.

7.8
2014-07-16 CVE-2014-2620 HP Information Disclosure vulnerability in HP products

Unspecified vulnerability in HP Intelligent Management Center (iMC) before 7.0 E02020P03 and Branch Intelligent Management System (BIMS) before 7.0 E0201P02 allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-2089.

7.8
2014-07-16 CVE-2014-2619 HP Information Disclosure vulnerability in HP products

Unspecified vulnerability in HP Intelligent Management Center (iMC) before 7.0 E02020P03 and Branch Intelligent Management System (BIMS) before 7.0 E0201P02 allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-2088.

7.8
2014-07-16 CVE-2014-2618 HP Information Disclosure vulnerability in HP products

Unspecified vulnerability in HP Intelligent Management Center (iMC) before 7.0 E02020P03 and Branch Intelligent Management System (BIMS) before 7.0 E0201P02 allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-2080.

7.8
2014-07-14 CVE-2014-2950 Datumsystems Unauthorized Access vulnerability in Datum Systems PSM-4500 and PSM-500 Series

Datum Systems SnIP on PSM-500 and PSM-4500 devices does not require authentication for FTP sessions, which allows remote attackers to obtain sensitive information via RETR commands.

7.8
2014-07-20 CVE-2014-3161 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

The WebMediaPlayerAndroid::load function in content/renderer/media/android/webmediaplayer_android.cc in Google Chrome before 36.0.1985.122 on Android does not properly interact with redirects, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that hosts a video stream.

7.5
2014-07-20 CVE-2014-1999 Fuelphp Code Injection vulnerability in Fuelphp

The auto-format feature in the Request_Curl class in FuelPHP 1.1 through 1.7.1 allows remote attackers to execute arbitrary code via a crafted response.

7.5
2014-07-20 CVE-2014-1996 Cybozu Permissions, Privileges, and Access Controls vulnerability in Cybozu Garoon 3.7/3.7.0

Cybozu Garoon 3.7 before SP4 allows remote authenticated users to bypass intended access restrictions, and execute arbitrary code or cause a denial of service, via an API call.

7.5
2014-07-19 CVE-2014-2364 Advantech Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Advantech Webaccess 5.0/6.0/7.0

Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx.

7.5
2014-07-15 CVE-2014-3419 Infoblox Credentials Management vulnerability in Infoblox Netmri

Infoblox NetMRI before 6.8.5 has a default password of admin for the "root" MySQL database account, which makes it easier for local users to obtain access via unspecified vectors.

7.2
2014-07-17 CVE-2014-4257 Oracle Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.7.0/11.1.1.8.0

Unspecified vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7.0 and 11.1.1.8.0 allows remote attackers to affect confidentiality via unknown vectors related to Portlet Services.

7.1

125 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-07-19 CVE-2014-4943 Linux
Opensuse
Suse
Redhat
Debian
Improper Privilege Management vulnerability in multiple products

The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.

6.9
2014-07-17 CVE-2014-4261 Oracle Local Security vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2487.

6.9
2014-07-17 CVE-2014-4225 SUN Local Security vulnerability in SUN Sunos 5.10

Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Patch installation scripts.

6.9
2014-07-17 CVE-2014-2487 Oracle
Microsoft
Local Security vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14, when running on Windows, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-4261.

6.9
2014-07-20 CVE-2014-3160 Debian
Google
Permissions, Privileges, and Access Controls vulnerability in multiple products

The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.

6.8
2014-07-20 CVE-2014-0226 Apache Race Condition vulnerability in Apache Http Server

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

6.8
2014-07-17 CVE-2014-4267 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components.

6.8
2014-07-17 CVE-2014-4255 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.3.6/12.1.1/12.1.2.0.0

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Security and Policy.

6.8
2014-07-17 CVE-2014-4254 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.3.6/12.1.1/12.1.2.0.0

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Web Services.

6.8
2014-07-17 CVE-2014-2481 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-2480.

6.8
2014-07-17 CVE-2014-2480 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-2481.

6.8
2014-07-17 CVE-2014-2479 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Web Services.

6.8
2014-07-15 CVE-2014-4964 Shopizer Cross-Site Request Forgery (CSRF) vulnerability in Shopizer 1.1.5

Multiple cross-site request forgery (CSRF) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to hijack the authentication of users for requests that (1) modify customer settings or hijack the authentication of administrators for requests that change (2) customer passwords, (3) shop configuration, or (4) product details, as demonstrated by (5) modify a product's price via a crafted request to central/catalog/saveproduct.action or (6) creating a product review via a crafted request to shop/product/createReview.action.

6.8
2014-07-15 CVE-2014-4963 Shopizer Unspecified vulnerability in Shopizer 1.1.5

Shopizer 1.1.5 and earlier allows remote attackers to modify the account settings of arbitrary users via the customer.customerId parameter to shop/profile/register.action.

6.8
2014-07-15 CVE-2014-4663 Binarymoon Code Injection vulnerability in Binarymoon Timthumb and Wordthumb

TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.

6.8
2014-07-14 CVE-2014-3319 Cisco Path Traversal vulnerability in Cisco Unified Communications Manager 10.0(1)

Directory traversal vulnerability in the Real-Time Monitoring Tool (RTMT) in Cisco Unified Communications Manager (CM) 10.0(1) allows remote authenticated users to read arbitrary files via a crafted URL, aka Bug ID CSCup57676.

6.8
2014-07-14 CVE-2013-6691 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Adaptive Security Appliance Software

The WebVPN CIFS implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0(.4.1) and earlier allows remote CIFS servers to cause a denial of service (device reload) via a long share list, aka Bug ID CSCuj83344.

6.8
2014-07-19 CVE-2014-3043 IBM Permissions, Privileges, and Access Controls vulnerability in IBM products

IBM Storwize V7000 Unified 1.3.x and 1.4.x before 1.4.3.3 allows remote authenticated users to gain privileges by leveraging access to the service account.

6.5
2014-07-17 CVE-2014-4258 Oracle
Vmware
Opensuse Project
Debian
Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC.

6.5
2014-07-17 CVE-2014-4236 Oracle Remote Security vulnerability in Oracle Database Server 11.2.0.4/12.1.0.1

Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 11.2.0.4 and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

6.5
2014-07-17 CVE-2014-2484 Oracle
Suse
Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRFTS.

6.5
2014-07-16 CVE-2014-4977 Sonicwall SQL Injection vulnerability in Sonicwall Scrutinizer 11.0.1

Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php.

6.5
2014-07-14 CVE-2014-4944 Bannersky SQL Injection vulnerability in Bannersky BSK PDF Manager 1.3.2

Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in the BSK PDF Manager plugin 1.3.2 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) categoryid or (2) pdfid parameter to wp-admin/admin.php.

6.5
2014-07-20 CVE-2014-3159 Google Improper Input Validation vulnerability in Google Chrome

The WebContentsDelegateAndroid::OpenURLFromTab function in components/web_contents_delegate_android/web_contents_delegate_android.cc in Google Chrome before 36.0.1985.122 on Android does not properly restrict URL loading, which allows remote attackers to spoof the URL in the Omnibox via unspecified vectors.

6.4
2014-07-17 CVE-2014-4209 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.

6.4
2014-07-17 CVE-2014-2493 Oracle Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.7.0/11.1.2.4.0/12.1.2.0.0

Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.2.4.0, and 12.1.2.0.0 allows remote attackers to affect confidentiality and availability via vectors related to ADF Faces.

6.4
2014-07-15 CVE-2014-4962 Shopizer Numeric Errors vulnerability in Shopizer 1.1.5

Shopizer 1.1.5 and earlier allows remote attackers to reduce the total cost of their shopping cart via a negative number in the productQuantity parameter, which causes the price of the item to be subtracted from the total cost.

6.4
2014-07-19 CVE-2014-3064 IBM Information Exposure vulnerability in IBM products

The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.x and 11.x before 11.0 FP4 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 allows remote authenticated users to read arbitrary files via a crafted UNIX file parameter.

6.3
2014-07-19 CVE-2014-2519 EMC Information Exposure vulnerability in EMC Recoverpoint Appliance 4.1

The default configuration of EMC RecoverPoint Appliance (RPA) 4.1 before 4.1.0.1 does not enable a firewall, which allows remote attackers to obtain potentially sensitive information about open ports, or cause a denial of service, by sending packets to many ports.

5.8
2014-07-18 CVE-2014-3320 Cisco Unspecified vulnerability in Cisco Unified Communications Domain Manager

Multiple open redirect vulnerabilities in the admin web interface in the web framework in Cisco Unified Communications Domain Manager (CDM) 8.1(.4) and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted URLs for unspecified scripts, aka Bug ID CSCuo48835.

5.8
2014-07-17 CVE-2014-4256 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality and integrity via vectors related to WLS - Deployment.

5.8
2014-07-18 CVE-2014-3321 Cisco Improper Input Validation vulnerability in Cisco products

Cisco IOS XR 4.3.4 and earlier on ASR 9000 devices, when bridge-group virtual interface (BVI) routing is enabled, allows remote attackers to cause a denial of service (chip and card hangs) via a series of crafted MPLS packets, aka Bug ID CSCuo91149.

5.7
2014-07-19 CVE-2014-2365 Advantech Remote Code Execution vulnerability in Advantech Webaccess 5.0/6.0/7.0

Unspecified vulnerability in Advantech WebAccess before 7.2 allows remote authenticated users to create or delete arbitrary files via unknown vectors.

5.5
2014-07-17 CVE-2014-4260 Oracle
Debian
Suse
Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.

5.5
2014-07-17 CVE-2014-4229 Oracle Remote Security vulnerability in Oracle Transportation Management

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, and 6.3.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Data, Domain, and Function Security.

5.5
2014-07-17 CVE-2014-2496 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Test Framework.

5.5
2014-07-17 CVE-2014-2482 Oracle Remote Security vulnerability in Oracle E-Business Suite 12.1.3/12.2.2/12.2.3

Unspecified vulnerability in the Oracle Concurrent Processing component in Oracle E-Business Suite 12.1.3, 12.2.2, and 12.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

5.5
2014-07-17 CVE-2014-2456 Oracle Remote Security vulnerability in Oracle Peoplesoft products 9.1/9.2

Unspecified vulnerability in the PeopleSoft Enterprise ELS Enterprise Learning Management component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

5.5
2014-07-16 CVE-2014-4976 Sonicwall Permissions, Privileges, and Access Controls vulnerability in Sonicwall Scrutinizer 11.0.1

Dell SonicWall Scrutinizer 11.0.1 allows remote authenticated users to change user passwords via the user ID in the savePrefs parameter in a change password request to cgi-bin/admin.cgi.

5.5
2014-07-14 CVE-2014-3317 Cisco Path Traversal vulnerability in Cisco Unified Communications Manager 10.0(1)

Directory traversal vulnerability in the Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager 10.0(1) allows remote authenticated users to delete arbitrary files via a crafted URL, aka Bug ID CSCup76314.

5.5
2014-07-14 CVE-2013-5567 Cisco Resource Management Errors vulnerability in Cisco Adaptive Security Appliance Software

Cisco Adaptive Security Appliance (ASA) Software 8.4(.6) and earlier, when using an unsupported configuration with overlapping criteria for filtering and inspection, allows remote attackers to cause a denial of service (traffic loop and device crash) via a packet that triggers multiple matches, aka Bug ID CSCui45606.

5.4
2014-07-17 CVE-2014-4226 Oracle Remote Security vulnerability in Oracle Peoplesoft products 9.1/9.2

Unspecified vulnerability in the PeopleSoft Enterprise FIN Install component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

5.1
2014-07-20 CVE-2014-4342 Debian
MIT
Redhat
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session.

5.0
2014-07-20 CVE-2014-4341 MIT
Redhat
Debian
Fedoraproject
Out-Of-Bounds Read vulnerability in multiple products

MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.

5.0
2014-07-20 CVE-2014-3523 Apache Resource Management Errors vulnerability in Apache Http Server

Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

5.0
2014-07-20 CVE-2014-3162 Debian
Google
Multiple Security vulnerability in Google Chrome Prior to 36.0.1985.122

Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.125 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

5.0
2014-07-20 CVE-2014-1973 Nextapp Path Traversal vulnerability in Nextapp File Explorer

Directory traversal vulnerability in the NextApp File Explorer application before 2.1.0.3 for Android allows remote attackers to overwrite or create arbitrary files via a crafted filename.

5.0
2014-07-20 CVE-2014-0231 Apache Resource Management Errors vulnerability in Apache Http Server

The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

5.0
2014-07-19 CVE-2012-2682 Redhat Improper Input Validation vulnerability in Redhat Enterprise MRG 2.5

Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, allows attackers with certain database privileges to cause a denial of service (inaccessible page) via a non-ASCII character in the name of a link.

5.0
2014-07-19 CVE-2013-7391 Entity API Project Permissions, Privileges, and Access Controls vulnerability in Entity API Project Entity API 7.X1.0/7.X1.1

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View.

5.0
2014-07-19 CVE-2014-2368 Advantech Information Exposure vulnerability in Advantech Webaccess 5.0/6.0/7.0

The BrowseFolder method in the bwocxrun ActiveX control in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.

5.0
2014-07-17 CVE-2014-4271 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Essbase component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote attackers to affect availability via unknown vectors related to Agent.

5.0
2014-07-17 CVE-2014-4268 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing.

5.0
2014-07-17 CVE-2014-4266 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability.

5.0
2014-07-17 CVE-2014-4265 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.

5.0
2014-07-17 CVE-2014-4264 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect availability via unknown vectors related to Security.

5.0
2014-07-17 CVE-2014-4253 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect availability via vectors related to WebLogic Server JVM.

5.0
2014-07-17 CVE-2014-4252 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security.

5.0
2014-07-17 CVE-2014-4249 Oracle Directory Traversal vulnerability in Oracle Fusion Middleware 11.1.1.7.0

Unspecified vulnerability in the BI Publisher component in Oracle Fusion Middleware 11.1.1.7 allows remote attackers to affect confidentiality via unknown vectors related to Mobile Service.

5.0
2014-07-17 CVE-2014-4234 Oracle Remote Security vulnerability in Oracle Transportation Management

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, and 6.3.4 allows remote attackers to affect confidentiality via unknown vectors related to Data, Domain & Function Security.

5.0
2014-07-17 CVE-2014-4220 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208.

5.0
2014-07-17 CVE-2014-4218 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries.

5.0
2014-07-17 CVE-2014-4211 Oracle Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.7.0/11.1.1.8.0

Unspecified vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7 and 11.1.1.8 allows remote attackers to affect integrity via unknown vectors related to Portlet Services.

5.0
2014-07-17 CVE-2014-4210 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.

5.0
2014-07-17 CVE-2014-4202 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect availability via vectors related to WLS - Web Services.

5.0
2014-07-17 CVE-2014-4201 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.3.6/12.1.1/12.1.2.0.0

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect availability via vectors related to WLS - Web Services.

5.0
2014-07-16 CVE-2014-4347 Citrix Information Exposure vulnerability in Citrix products

Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) before 9.3-62.4 and 10.x before 10.1-126.12 allows attackers to obtain sensitive information via vectors related to a cookie.

5.0
2014-07-16 CVE-2014-4154 ZTE Permissions, Privileges, and Access Controls vulnerability in ZTE Zxv10 W300 and Zxv10 W300 Firmware

ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA password via a direct request for basic/tc2wanfun.js.

5.0
2014-07-16 CVE-2014-3777 Reportico Path Traversal vulnerability in Reportico PHP Report Designer

Directory traversal vulnerability in Reportico PHP Report Designer before 4.0 allows remote attackers to read arbitrary files via a ..

5.0
2014-07-16 CVE-2014-3427 Yealink Unspecified vulnerability in Yealink Voip Phone Firmware 28.72.0.2

CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet.

5.0
2014-07-16 CVE-2014-2605 HP Information Disclosure vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA

Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA 9.5 through 11.0 allows remote attackers to obtain sensitive information via unknown vectors.

5.0
2014-07-15 CVE-2014-1474 Bestpractical
Email
Numeric Errors vulnerability in multiple products

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string without an address.

5.0
2014-07-17 CVE-2014-4224 Oracle
SUN
Local Command Injection vulnerability in Cisco Wireless LAN Controller

Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11.1 allows local users to affect availability via unknown vectors related to sockfs.

4.9
2014-07-17 CVE-2014-4215 Oracle
SUN
Local Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via vectors related to CPU performance counters (CPC) drivers, a different vulnerability than CVE-2013-5862.

4.9
2014-07-15 CVE-2014-3953 Freebsd Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Freebsd

FreeBSD 8.4 before p14, 9.1 before p17, 9.2 before p10, and 10.0 before p7 does not properly initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via a (1) SCTP_SNDRCV, (2) SCTP_EXTRCV, or (3) SCTP_RCVINFO SCTP cmsg or a (4) SCTP_PEER_ADDR_CHANGE, (5) SCTP_REMOTE_ERROR, or (6) SCTP_AUTHENTICATION_EVENT notification.

4.9
2014-07-15 CVE-2014-3952 Freebsd Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Freebsd

FreeBSD 8.4 before p14, 9.1 before p17, 9.2 before p10, and 10.0 before p7 does not properly initialize the buffer between the header and data of a control message, which allows local users to obtain sensitive information from kernel memory via unspecified vectors.

4.9
2014-07-14 CVE-2014-4013 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass

SQL injection vulnerability in the Policy Manager in Aruba Networks ClearPass 5.x, 6.0.x, 6.1.x through 6.1.4.61696, 6.2.x through 6.2.6.62196, and 6.3.x before 6.3.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

4.9
2014-07-17 CVE-2014-4228 Oracle Local Security vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via vectors related to Graphics driver (WDDM) for Windows guests.

4.4
2014-07-20 CVE-2014-3894 PHP Kobo Cross-Site Scripting vulnerability in PHP Kobo Multifunctional Mailform Free

Cross-site scripting (XSS) vulnerability in PHP Kobo Multifunctional MailForm Free 2014/1/28 and earlier allows remote attackers to inject arbitrary web script or HTML via an HTTP Referer header.

4.3
2014-07-20 CVE-2014-3892 Nexatechnologies Cross-Site Scripting vulnerability in Nexatechnologies Meridian

Cross-site scripting (XSS) vulnerability in Nexa Meridian before 2014 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-07-20 CVE-2014-3885 Webmin Cross-Site Scripting vulnerability in Webmin

Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-07-20 CVE-2014-3884 Webmin Cross-Site Scripting vulnerability in Webmin Usermin

Cross-site scripting (XSS) vulnerability in Usermin before 1.600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-07-20 CVE-2014-0118 Apache Resource Management Errors vulnerability in Apache Http Server

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.

4.3
2014-07-20 CVE-2014-0117 Apache
Apple
Improper Input Validation vulnerability in multiple products

The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.

4.3
2014-07-20 CVE-2013-4352 Apache Unspecified vulnerability in Apache Http Server 2.4.6

The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger a missing hostname value.

4.3
2014-07-19 CVE-2014-4331 Octavocms Cross-Site Scripting vulnerability in Octavocms

Cross-site scripting (XSS) vulnerability in admin/viewer.php in OctavoCMS allows remote attackers to inject arbitrary web script or HTML via the src parameter.

4.3
2014-07-19 CVE-2014-3325 Cisco Cross-Site Scripting vulnerability in Cisco Unified Customer Voice Portal

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified Customer Voice Portal (CVP) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug IDs CSCuh61711, CSCuh61720, CSCuh61723, CSCuh61726, CSCuh61727, CSCuh61731, and CSCuh61733.

4.3
2014-07-19 CVE-2014-2367 Advantech Information Exposure vulnerability in Advantech Webaccess 5.0/6.0/7.0

The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.

4.3
2014-07-18 CVE-2014-0957 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager 7.5 through 8.5.5, and WebSphere Lombardi Edition 7.2, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a service failure.

4.3
2014-07-17 CVE-2014-4242 Oracle Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect integrity via unknown vectors related to Console.

4.3
2014-07-17 CVE-2014-4241 Vmware
Oracle
Remote Security vulnerability in Oracle WebLogic Server

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect integrity via vectors related to WLS - Web Services.

4.3
2014-07-17 CVE-2014-4232 Oracle Remote Security vulnerability in Oracle products

Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization 4.63, 4.71, 5.0, and 5.1 allows remote attackers to affect integrity via unknown vectors related to Workspace Web Application, a different vulnerability than CVE-2014-2463.

4.3
2014-07-17 CVE-2014-4231 Oracle Remote Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2

Unspecified vulnerability in the Siebel Travel & Transportation component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Diary.

4.3
2014-07-17 CVE-2014-4230 Oracle Remote Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2

Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Open_UI, a different vulnerability than CVE-2014-2468.

4.3
2014-07-17 CVE-2014-4221 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Libraries.

4.3
2014-07-17 CVE-2014-4217 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.0.2/10.3.6/12.1.1

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, and 12.1.1.0 allows remote attackers to affect integrity via vectors related to WLS - Web Services.

4.3
2014-07-17 CVE-2014-4213 Oracle Remote Security vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.2, and 12.2.3 allows remote attackers to affect integrity via unknown vectors.

4.3
2014-07-17 CVE-2014-4212 Oracle Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.7.0

Unspecified vulnerability in the Oracle Fusion Middleware component in Oracle Fusion Middleware 11.1.1.7 allows remote attackers to affect confidentiality via unknown vectors related to Process Mgmt and Notification.

4.3
2014-07-17 CVE-2014-4205 Oracle Remote Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2

Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework, a different vulnerability than CVE-2014-2491.

4.3
2014-07-17 CVE-2014-2492 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.3

Unspecified vulnerability in the Oracle Agile Product Collaboration component in Oracle Supply Chain Products Suite 9.3.3 allows remote attackers to affect integrity via unknown vectors related to Web client (PC).

4.3
2014-07-17 CVE-2014-2491 Oracle Remote Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2

Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework, a different vulnerability than CVE-2014-4205.

4.3
2014-07-17 CVE-2014-0436 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion BI+ component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote attackers to affect integrity via unknown vectors related to Web Analysis.

4.3
2014-07-17 CVE-2013-5855 Oracle Cross-Site Scripting vulnerability in Oracle Mojarra

Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

4.3
2014-07-16 CVE-2014-4346 Citrix Cross-Site Scripting vulnerability in Citrix products

Cross-site scripting (XSS) vulnerability in administration user interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) 10.1 before 10.1-126.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-07-15 CVE-2014-4965 Shopizer Cross-Site Scripting vulnerability in Shopizer 1.1.5

Multiple cross-site scripting (XSS) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) customername parameter to central/orders/searchcriteria.action; (2) productname, (3) availability, or (4) status parameter to central/catalog/productlist.action; or unspecified vectors in (5) WebContent/orders/orderlist.jsp.

4.3
2014-07-14 CVE-2014-4946 Horde Cross-Site Scripting vulnerability in Horde Groupware and Internet Mail Program

Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view.

4.3
2014-07-14 CVE-2014-4945 Horde Cross-Site Scripting vulnerability in Horde Groupware and Internet Mail Program

Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view.

4.3
2014-07-17 CVE-2014-4203 Oracle Local Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Enterprise Performance Management Architect component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Property Editing.

4.1
2014-07-17 CVE-2014-2489 Oracle Local Security vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.

4.1
2014-07-20 CVE-2014-4987 Opensuse
Phpmyadmin
Permissions, Privileges, and Access Controls vulnerability in multiple products

server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request.

4.0
2014-07-20 CVE-2014-1993 Cybozu Permissions, Privileges, and Access Controls vulnerability in Cybozu Garoon

The Portlets subsystem in Cybozu Garoon 2.x and 3.x before 3.7 SP4 allows remote authenticated users to bypass intended access restrictions via unspecified vectors.

4.0
2014-07-19 CVE-2013-4273 Entity API Project Permissions, Privileges, and Access Controls vulnerability in Entity API Project Entity API 7.X1.0/7.X1.1

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to node comments, which allows remote authenticated users to read the comments via unspecified vectors.

4.0
2014-07-19 CVE-2014-2366 Advantech Information Exposure vulnerability in Advantech Webaccess 5.0/6.0/7.0

upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.

4.0
2014-07-18 CVE-2014-3323 Cisco Path Traversal vulnerability in Cisco Unified Contact Center Enterprise

Directory traversal vulnerability in Cisco Unified Contact Center Enterprise allows remote authenticated users to read arbitrary web-root files via a crafted URL, aka Bug ID CSCun25262.

4.0
2014-07-17 CVE-2014-4270 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote authenticated users to affect confidentiality via unknown vectors related to User Interface, a different vulnerability than CVE-2014-4269.

4.0
2014-07-17 CVE-2014-4269 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote authenticated users to affect confidentiality via unknown vectors related to User Interface, a different vulnerability than CVE-2014-4270.

4.0
2014-07-17 CVE-2014-4263 Oracle Unspecified vulnerability in Oracle Jdk, JRE and Jrockit

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement." Per: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html "Applies to Diffie-Hellman key agreement in client and server deployment of Java."

4.0
2014-07-17 CVE-2014-4244 Oracle Unspecified vulnerability in Oracle Jdk, JRE and Jrockit

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security.

4.0
2014-07-17 CVE-2014-4239 Oracle
SUN
Remote Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Common Agent Container (Cacao).

4.0
2014-07-17 CVE-2014-4238 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR.

4.0
2014-07-17 CVE-2014-4237 Oracle Remote Security vulnerability in Oracle Database Server 11.2.0.4/12.1.0.1

Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 11.2.0.4 and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors.

4.0
2014-07-17 CVE-2014-4233 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRREP.

4.0
2014-07-17 CVE-2014-4207 Oracle
Suse
Debian
Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR.

4.0
2014-07-17 CVE-2014-2494 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to ENARC.

4.0
2014-07-15 CVE-2014-4031 Arubanetworks Information Exposure vulnerability in Arubanetworks Clearpass

The Policy Manager in Aruba Networks ClearPass 5.x, 6.0.x, 6.1.x through 6.1.4.61696, 6.2.x through 6.2.6.62196, and 6.3.x before 6.3.4 allows remote authenticated users to obtain database credentials via unspecified vectors.

4.0

32 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-07-17 CVE-2014-4240 Oracle Local Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows local users to affect confidentiality and integrity via vectors related to SRREP.

3.6
2014-07-17 CVE-2014-2477 Oracle Local Privilege Escalation vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2486.

3.6
2014-07-20 CVE-2014-4986 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message.

3.5
2014-07-20 CVE-2014-4955 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page.

3.5
2014-07-20 CVE-2014-4954 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page.

3.5
2014-07-20 CVE-2014-1995 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting (XSS) vulnerability in the Map search functionality in Cybozu Garoon 2.x and 3.x before 3.7 SP4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2014-07-20 CVE-2014-1994 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting (XSS) vulnerability in the Notices portlet in Cybozu Garoon 2.x and 3.x before 3.7 SP4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2014-07-20 CVE-2014-1992 Cybozu Cross-Site Scripting vulnerability in Cybozu Garoon

Cross-site scripting (XSS) vulnerability in the Messages functionality in Cybozu Garoon 3.1.x, 3.5.x, and 3.7.x before 3.7 SP4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2014-07-19 CVE-2014-0970 IBM Improper Input Validation vulnerability in IBM products

The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.x and 11.x before 11.0 FP4 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 allows remote authenticated users to inject links via unspecified vectors.

3.5
2014-07-19 CVE-2014-0968 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in the GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.x and 11.x before 11.0 FP4 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL for an MHTML document.

3.5
2014-07-19 CVE-2014-0967 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in the GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.x and 11.x before 11.0 FP4 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2014-07-17 CVE-2014-4251 Oracle Remote Security vulnerability in Oracle HTTP Server

Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0 and 12.1.2.0 allows remote authenticated users to affect integrity via vectors related to plugin 1.1.

3.5
2014-07-17 CVE-2014-4250 Oracle Remote Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2

Unspecified vulnerability in the Siebel Core - Server OM Frwks component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Object Manager.

3.5
2014-07-17 CVE-2014-4246 Oracle Remote Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Analytic Provider Services component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote authenticated users to affect confidentiality via vectors related to SVP.

3.5
2014-07-17 CVE-2014-4245 Oracle Remote Security vulnerability in Oracle Database Server

Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors.

3.5
2014-07-17 CVE-2014-4235 Oracle Remote Security vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, and 12.2.3 allows remote authenticated users to affect integrity via unknown vectors.

3.5
2014-07-17 CVE-2014-4204 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.53

Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology.

3.5
2014-07-17 CVE-2014-4214 Suse
Oracle
Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRSP.

3.3
2014-07-17 CVE-2014-4206 Oracle Local Security vulnerability in Oracle Hyperion 11.1.2.2/11.1.2.3

Unspecified vulnerability in the Hyperion Enterprise Performance Management Architect component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows local users to affect integrity and availability via unknown vectors related to Data Synchronizer.

3.3
2014-07-17 CVE-2014-2486 Oracle Local Security vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2477.

3.0
2014-07-17 CVE-2014-4243 Oracle
Opensuse Project
Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to ENFED.

2.8
2014-07-20 CVE-2014-3886 Webmin Cross-Site Scripting vulnerability in Webmin

Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when referrer checking is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

2.6
2014-07-17 CVE-2014-4208 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220.

2.6
2014-07-17 CVE-2014-2495 Oracle Remote Security vulnerability in Oracle Peoplesoft products 9.1/9.2

Unspecified vulnerability in the PeopleSoft Enterprise SCM Purchasing component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Purchasing.

2.3
2014-07-19 CVE-2014-3533 Debian
D BUS Project
Mageia Project
Opensuse
Improper Input Validation vulnerability in multiple products

dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.

2.1
2014-07-19 CVE-2014-3532 D BUS Project
Linux
Opensuse
Debian
Mageia
Oracle
Improper Input Validation vulnerability in multiple products

dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.

2.1
2014-07-19 CVE-2014-3045 IBM Information Exposure vulnerability in IBM Scale OUT Network Attached Storage

IBM Scale Out Network Attached Storage (SONAS) 1.3.x and 1.4.x before 1.4.3.3 places an administrative password in the shell history upon use of the -p option to chuser, which allows local users to obtain sensitive information by leveraging root access.

2.1
2014-07-17 CVE-2014-4222 Oracle Remote Security vulnerability in Oracle HTTP Server

Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0 and 12.1.2.0 allows remote authenticated users to affect confidentiality via vectors related to plugin 1.1.

2.1
2014-07-14 CVE-2014-2926 Kaseya Unspecified vulnerability in Kaseya Virtual System Administrator 6.5/7.0

kapfa.sys in Kaseya Virtual System Administrator (VSA) 6.5 before 6.5.0.17 and 7.0 before 7.0.0.16 allows local users to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors.

1.7
2014-07-17 CVE-2014-2485 Oracle Local Security vulnerability in Oracle Siebel CRM 8.1.1/8.2.2

Unspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows local users to affect confidentiality via unknown vectors related to Integration Business Services.

1.4
2014-07-17 CVE-2014-4248 Oracle Local Security vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, and 12.2.3 allows local users to affect confidentiality via unknown vectors related to Logging.

1.0
2014-07-17 CVE-2014-2488 Oracle Local Security vulnerability in Oracle VM VirtualBox

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality via unknown vectors related to Core.

1.0