Weekly Vulnerabilities Reports > July 21 to 27, 2014
Overview
82 new vulnerabilities reported during this period, including 18 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 84 products from 47 vendors including Mozilla, Cisco, Siemens, Drupal, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", and "Improper Input Validation".
- 75 reported vulnerabilities are remotely exploitables.
- 6 reported vulnerabilities have public exploit available.
- 28 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 73 reported vulnerabilities are exploitable by an anonymous user.
- Mozilla has the most reported vulnerabilities, with 14 reported vulnerabilities.
- Mozilla has the most reported critical vulnerabilities, with 9 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
18 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-07-26 | CVE-2014-2363 | Morpho | Hardcoded Credentials Security Bypass vulnerability in Morpho Itemiser 3 8.17 Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request. | 10.0 |
2014-07-24 | CVE-2014-0607 | Attachmate | Arbitrary File Upload vulnerability in Attachmate Verastream Process Designer 6.0 Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file. | 10.0 |
2014-07-23 | CVE-2014-4502 | Bfgminer Sgminer Project | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Multiple heap-based buffer overflows in the parse_notify function in sgminer before 4.2.2, cgminer before 4.3.5, and BFGMiner before 4.1.0 allow remote pool servers to have unspecified impact via a (1) large or (2) negative value in the Extranonc2_size parameter in a mining.subscribe response and a crafted mining.notify request. | 10.0 |
2014-07-23 | CVE-2014-4501 | Sgminer Project Cgminer Project Bfgminer | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Multiple stack-based buffer overflows in sgminer before 4.2.2, cgminer before 4.3.5, and BFGMiner before 3.3.0 allow remote pool servers to have unspecified impact via a long URL in a client.reconnect stratum message to the (1) extract_sockaddr or (2) parse_reconnect functions in util.c. | 10.0 |
2014-07-23 | CVE-2014-1551 | Mozilla Microsoft | Use After Free Memory Corruption vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird Use-after-free vulnerability in the FontTableRec destructor in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 on Windows allows remote attackers to execute arbitrary code via crafted use of fonts in MathML content, leading to improper handling of a DirectWrite font-face object. | 10.0 |
2014-07-23 | CVE-2014-1550 | Mozilla | Use After Free Memory Corruption vulnerability in Mozilla Firefox and Thunderbird Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering. | 10.0 |
2014-07-23 | CVE-2014-1548 | Mozilla | Memory Corruption vulnerability in Mozilla Firefox and Thunderbird Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 10.0 |
2014-07-23 | CVE-2014-1547 | Mozilla | Memory Corruption vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 10.0 |
2014-07-23 | CVE-2014-1544 | Mozilla | Use After Free Memory Corruption vulnerability in Mozilla Firefox/Thunderbird Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain. | 10.0 |
2014-07-22 | CVE-2014-4947 | Citrix | Buffer Errors vulnerability in Citrix Xenserver 6.2.0 Buffer overflow in the HVM graphics console support in Citrix XenServer 6.2 Service Pack 1 and earlier has unspecified impact and attack vectors. | 10.0 |
2014-07-26 | CVE-2014-2626 | HP | Path Traversal vulnerability in HP Network Virtualization 8.6 Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024. | 9.4 |
2014-07-26 | CVE-2014-4979 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom. | 9.3 |
2014-07-23 | CVE-2014-3939 | Autodesk | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Autodesk Sketchbook PRO 6.2.4/6.2.5 Heap-based buffer overflow in Autodesk SketchBook Pro before 6.2.6 allows remote attackers to execute arbitrary code via crafted layer bitmap data in a PXD file. | 9.3 |
2014-07-23 | CVE-2014-3938 | Autodesk | Numeric Errors vulnerability in Autodesk Sketchbook PRO 6.2.4/6.2.5 Integer overflow in Autodesk SketchBook Pro before 6.2.6 allows remote attackers to execute arbitrary code via crafted layer mask data in a PSD file, which triggers a heap-based buffer overflow. | 9.3 |
2014-07-23 | CVE-2014-1557 | Oracle Mozilla Debian | Code Injection vulnerability in multiple products The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function execution, which allows remote attackers to execute arbitrary code by triggering prolonged image scaling, as demonstrated by scaling of a high-quality image. | 9.3 |
2014-07-23 | CVE-2014-1556 | Mozilla | Code Injection vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to execute arbitrary code via crafted WebGL content constructed with the Cesium JavaScript library. | 9.3 |
2014-07-23 | CVE-2014-1555 | Mozilla | Use After Free Memory Corruption vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird Use-after-free vulnerability in the nsDocLoader::OnProgress function in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allows remote attackers to execute arbitrary code via vectors that trigger a FireOnStateChange event. | 9.3 |
2014-07-23 | CVE-2014-1549 | Mozilla | Buffer Errors vulnerability in Mozilla Firefox and Thunderbird The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via crafted audio content that is improperly handled during playback buffering. | 9.3 |
15 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-07-26 | CVE-2014-2625 | HP | Path Traversal vulnerability in HP Network Virtualization 8.6 Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023. | 8.5 |
2014-07-24 | CVE-2014-2362 | Oleumtech | Predictable Random Number Generator vulnerability in Oleumtech products OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation. | 7.8 |
2014-07-24 | CVE-2014-2717 | Honeywell | Authentication Bypass vulnerability in Honeywell products Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to bypass authentication and obtain administrative access by visiting the change-password page. | 7.6 |
2014-07-27 | CVE-2014-4726 | Mailpoet | Security vulnerability in WordPress MailPoet Newsletters Plugin Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors. | 7.5 |
2014-07-27 | CVE-2014-4725 | Mailpoet | Improper Authentication vulnerability in Mailpoet Newsletters The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/. | 7.5 |
2014-07-26 | CVE-2014-4858 | Sabreairlinesolutions | SQL Injection vulnerability in Sabreairlinesolutions products Multiple SQL injection vulnerabilities in CWPLogin.aspx in Sabre AirCentre Crew products 2010.2.12.20008 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field. | 7.5 |
2014-07-25 | CVE-2014-5102 | Vbulletin | SQL Injection vulnerability in Vbulletin SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. | 7.5 |
2014-07-24 | CVE-2014-4736 | Blogengine | SQL Injection vulnerability in Blogengine E2 2.4 SQL injection vulnerability in E2 before 2.4 (2845) allows remote attackers to execute arbitrary SQL commands via the note-id parameter to @actions/comment-process. | 7.5 |
2014-07-24 | CVE-2014-2360 | Oleumtech | Improper Input Validation vulnerability in Oleumtech products OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage. | 7.5 |
2014-07-22 | CVE-2014-4326 | Elastic | OS Command Injection vulnerability in Elastic Logstash Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. | 7.5 |
2014-07-22 | CVE-2013-7392 | Gitlist | Arbitrary Command Execution vulnerability in GitList Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/. | 7.5 |
2014-07-21 | CVE-2014-5017 | Limesurvey | SQL Injection vulnerability in Limesurvey 2.05+ SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter. | 7.5 |
2014-07-21 | CVE-2014-4960 | Joomlaboat | SQL Injection vulnerability in Joomlaboat COM Youtubegallery Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php. | 7.5 |
2014-07-26 | CVE-2014-4971 | Microsoft | Improper Input Validation vulnerability in Microsoft Windows XP Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem. | 7.2 |
2014-07-24 | CVE-2014-2361 | Oleumtech | Local Security Bypass vulnerability in Oleumtech products OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode. | 7.2 |
45 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-07-24 | CVE-2014-1419 | Canonical | Race Condition vulnerability in Canonical Acpi-Support and Ubuntu Linux Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors. | 6.9 |
2014-07-26 | CVE-2014-3305 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Webex Meetings Server Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735. | 6.8 |
2014-07-25 | CVE-2014-5100 | Omeka | Cross-Site Request Forgery (CSRF) vulnerability in Omeka Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security. | 6.8 |
2014-07-24 | CVE-2014-4686 | Siemens | Privilege Escalation vulnerability in Siemens Simatic Pcs7 and Wincc The Project administration application in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, has a hardcoded encryption key, which allows remote attackers to obtain sensitive information by extracting this key from another product installation and then employing this key during the sniffing of network traffic on TCP port 1030. | 6.8 |
2014-07-22 | CVE-2014-3518 | Redhat | Code Injection vulnerability in Redhat products jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors. | 6.8 |
2014-07-22 | CVE-2014-5023 | Gitlist | Remote Command Execution vulnerability in GitList Repository.php in Gitter, as used in Gitlist, allows remote attackers with commit privileges to execute arbitrary commands via shell metacharacters in a branch name, as demonstrated by a "git checkout -b" command. | 6.8 |
2014-07-26 | CVE-2014-3326 | Cisco | SQL Injection vulnerability in Cisco Security Manager 4.5/4.6 SQL injection vulnerability in the web framework in Cisco Security Manager 4.5 and 4.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCup26957. | 6.5 |
2014-07-22 | CVE-2014-4948 | Citrix | Denial of Service and Information Disclosure vulnerability in Citrix Xenserver 6.2.0 Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and earlier allows attackers to cause a denial of service and obtain sensitive information by modifying the guest virtual hard disk (VHD). | 6.4 |
2014-07-24 | CVE-2014-3322 | Cisco | Improper Input Validation vulnerability in Cisco products Cisco IOS XR 4.3(.2) and earlier on ASR 9000 devices does not properly perform NetFlow sampling of IP packets, which allows remote attackers to cause a denial of service (chip and card hangs) via malformed (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCuo68417. | 6.1 |
2014-07-25 | CVE-2014-2227 | UI | Permissions, Privileges, and Access Controls vulnerability in UI Unifi Video 2.1.3 The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file. | 6.0 |
2014-07-24 | CVE-2014-4684 | Siemens | Permissions, Privileges, and Access Controls vulnerability in Siemens Simatic Pcs7 and Wincc The database server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a request to TCP port 1433. | 6.0 |
2014-07-24 | CVE-2014-2369 | Omron | Cross-Site Request Forgery (CSRF) vulnerability in Omron products Cross-site request forgery (CSRF) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. | 6.0 |
2014-07-23 | CVE-2014-1561 | Mozilla Oracle | Permissions, Privileges, and Access Controls vulnerability in multiple products Mozilla Firefox before 31.0 does not properly restrict use of drag-and-drop events to spoof customization events, which allows remote attackers to alter the placement of UI icons via crafted JavaScript code that is encountered during (1) page, (2) panel, or (3) toolbar customization. | 5.8 |
2014-07-23 | CVE-2014-1552 | Mozilla | Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox and Thunderbird Mozilla Firefox before 31.0 and Thunderbird before 31.0 do not properly implement the sandbox attribute of the IFRAME element, which allows remote attackers to bypass intended restrictions on same-origin content via a crafted web site in conjunction with a redirect. | 5.8 |
2014-07-26 | CVE-2014-2966 | Caucho | Improper Input Validation vulnerability in Caucho Resin The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism. | 5.0 |
2014-07-26 | CVE-2014-3328 | Cisco | Resource Exhaustion vulnerability in Cisco Unified Presence Server The Intercluster Sync Agent Service in Cisco Unified Presence Server allows remote attackers to cause a denial of service via a TCP SYN flood, aka Bug ID CSCun34125. | 5.0 |
2014-07-26 | CVE-2014-3301 | Cisco | Information Exposure vulnerability in Cisco Webex Meetings Server The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned messages, aka Bug ID CSCuj81700. | 5.0 |
2014-07-24 | CVE-2014-5015 | Eterna Netbsd | Permissions, Privileges, and Access Controls vulnerability in multiple products bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path. | 5.0 |
2014-07-24 | CVE-2014-4682 | Siemens | Information Exposure vulnerability in Siemens Simatic Pcs7 and Wincc The WebNavigator server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote attackers to obtain sensitive information via an HTTP request. | 5.0 |
2014-07-23 | CVE-2014-4980 | Tenable | Information Exposure vulnerability in Tenable Nessus and web UI The /server/properties resource in Tenable Web UI before 2.3.5 for Nessus 5.2.3 through 5.2.7 allows remote attackers to obtain sensitive information via the token parameter. | 5.0 |
2014-07-22 | CVE-2014-5019 | Drupal | Improper Input Validation vulnerability in Drupal The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. | 5.0 |
2014-07-22 | CVE-2014-4911 | Polarssl Debian | Cryptographic Issues vulnerability in multiple products The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit. | 5.0 |
2014-07-24 | CVE-2014-4683 | Siemens | Permissions, Privileges, and Access Controls vulnerability in Siemens Simatic Pcs7 and Wincc The WebNavigator server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a (1) HTTP or (2) HTTPS request. | 4.9 |
2014-07-22 | CVE-2014-5020 | Drupal | Permissions, Privileges, and Access Controls vulnerability in Drupal The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. | 4.9 |
2014-07-24 | CVE-2014-4910 | X | Path Traversal vulnerability in X Xf86-Video-Intel 2.99.911 Directory traversal vulnerability in tools/backlight_helper.c in X.Org xf86-video-intel 2.99.911 allows remote attackers to create or overwrite arbitrary files via a .. | 4.6 |
2014-07-24 | CVE-2014-4685 | Siemens | Permissions, Privileges, and Access Controls vulnerability in Siemens Simatic Pcs7 and Wincc Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows local users to gain privileges by leveraging weak system-object access control. | 4.6 |
2014-07-26 | CVE-2014-4857 | Gurock | Cross-Site Scripting vulnerability in Gurock Testrail Cross-site scripting (XSS) vulnerability in Gurock TestRail before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Created By field in a project activity. | 4.3 |
2014-07-26 | CVE-2014-4748 | IBM | Cross-Site Scripting vulnerability in IBM Sametime Cross-site scripting (XSS) vulnerability in the Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 4.3 |
2014-07-26 | CVE-2014-3324 | Cisco | Cross-Site Scripting vulnerability in Cisco Telepresence Server Software Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060. | 4.3 |
2014-07-26 | CVE-2014-3071 | IBM | Cross-Site Scripting vulnerability in IBM Infosphere Information Server 11.3 Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection. | 4.3 |
2014-07-25 | CVE-2014-5103 | Zohocorp | Cross-Site Scripting vulnerability in Zohocorp Manageengine Eventlog Analyzer 9.0 Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. | 4.3 |
2014-07-25 | CVE-2014-5101 | Webidsupport | Cross-Site Scripting vulnerability in Webidsupport Webid 1.1.1 Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authnet_id, (12) TPL_authnet_pass, (13) TPL_worldpay_id, (14) TPL_toocheckout_id, or (15) TPL_moneybookers_email in a first action to register.php or the (16) username parameter in a login action to user_login.php. | 4.3 |
2014-07-25 | CVE-2014-5027 | Reviewboard | Cross-Site Scripting vulnerability in Reviewboard Review Board Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page. | 4.3 |
2014-07-24 | CVE-2014-5024 | Sonicwall | Cross-Site Scripting vulnerability in Sonicwall Analyzer, Global Management System and UMA Em5000 Cross-site scripting (XSS) vulnerability in sgms/panelManager in Dell SonicWALL GMS, Analyzer, and UMA before 7.2 SP1 allows remote attackers to inject arbitrary web script or HTML via the node_id parameter. | 4.3 |
2014-07-24 | CVE-2014-3110 | Honeywell | Cross-Site Scripting vulnerability in Honeywell products Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input. | 4.3 |
2014-07-24 | CVE-2014-2968 | Huawei | Cross-Site Scripting vulnerability in Huawei E355, E355 Firmware and E355 web UI Cross-site scripting (XSS) vulnerability in the web interface on the Huawei E355 CH1E355SM modem with software 21.157.37.01.910 and Web UI 11.001.08.00.03 allows remote attackers to inject arbitrary web script or HTML via an SMS message. | 4.3 |
2014-07-23 | CVE-2014-4503 | Sgminer Project Cgminer Project | Improper Input Validation vulnerability in multiple products The parse_notify function in util.c in sgminer before 4.2.2 and cgminer 3.3.0 through 4.0.1 allows man-in-the-middle attackers to cause a denial of service (application exit) via a crafted (1) bbversion, (2) prev_hash, (3) nbit, or (4) ntime parameter in a mining.notify action stratum message. | 4.3 |
2014-07-23 | CVE-2014-1560 | Mozilla | Unspecified vulnerability in Mozilla Firefox and Thunderbird Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (X.509 certificate parsing outage) via a crafted certificate that does not use ASCII character encoding in a required context. | 4.3 |
2014-07-23 | CVE-2014-1559 | Mozilla | Security vulnerability in Mozilla Firefox and Thunderbird Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (X.509 certificate parsing outage) via a crafted certificate that does not use UTF-8 character encoding in a required context, a different vulnerability than CVE-2014-1558. | 4.3 |
2014-07-23 | CVE-2014-1558 | Mozilla | Security vulnerability in Mozilla Firefox and Thunderbird Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (X.509 certificate parsing outage) via a crafted certificate that does not use UTF-8 character encoding in a required context, a different vulnerability than CVE-2014-1559. | 4.3 |
2014-07-22 | CVE-2014-5022 | Drupal | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. | 4.3 |
2014-07-22 | CVE-2014-2385 | Sophos | Cross-Site Scripting vulnerability in Sophos Anti-Virus 9.5.1 Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter to exclusion/configure or (4) text:EmailServer or (5) newListList:Email parameter to notification/configure. | 4.3 |
2014-07-21 | CVE-2014-5018 | Limesurvey | Unspecified vulnerability in Limesurvey 2.05+ Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume. | 4.3 |
2014-07-21 | CVE-2014-5016 | Limesurvey | Cross-Site Scripting vulnerability in Limesurvey 2.05+ Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality. | 4.3 |
2014-07-21 | CVE-2014-4734 | E107 | Cross-Site Scripting vulnerability in E107 2.0 Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter. | 4.3 |
4 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-07-24 | CVE-2014-2971 | Micropact | Cross-Site Scripting vulnerability in Micropact Icomplaints 8.0 Cross-site scripting (XSS) vulnerability in AddStdLetter.jsp in MicroPact iComplaints before 8.0.2.1.8.8014 allows remote authenticated users to inject arbitrary web script or HTML via the description parameter. | 3.5 |
2014-07-24 | CVE-2014-2370 | Omron | Cross-Site Scripting vulnerability in Omron products Cross-site scripting (XSS) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to inject arbitrary web script or HTML via crafted data. | 3.5 |
2014-07-26 | CVE-2014-4747 | IBM | Information Exposure vulnerability in IBM Sametime The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows physically proximate attackers to discover a meeting password hash by leveraging access to an unattended workstation to read HTML source code within a victim's browser. | 2.1 |
2014-07-22 | CVE-2014-5021 | Drupal | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. | 2.1 |