Weekly Vulnerabilities Reports > September 15 to 21, 2014

Overview

228 new vulnerabilities reported during this period, including 19 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 164 products from 125 vendors including Apple, Wireshark, Microsoft, Advantech, and Adobe. Vulnerabilities are notably categorized as "Cryptographic Issues", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Cross-site Scripting", and "Information Exposure".

  • 101 reported vulnerabilities are remotely exploitables.
  • 5 reported vulnerabilities have public exploit available.
  • 23 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 217 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 70 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 16 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

19 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-19 CVE-2014-4393 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

Buffer overflow in the shader compiler in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GLSL shader.

10.0
2014-09-19 CVE-2014-4376 Apple IOAcceleratorFamily Arbitrary Code Execution vulnerability in Apple Mac OS X

IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.

10.0
2014-09-17 CVE-2014-0568 Adobe
Microsoft
Security Bypass vulnerability in Adobe Reader and Acrobat

The NtSetInformationFile system call hook feature in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows allows attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context, via an NTFS junction attack.

10.0
2014-09-17 CVE-2014-0567 Adobe
Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader

Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0561.

10.0
2014-09-17 CVE-2014-0566 Adobe
Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe products

Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0565.

10.0
2014-09-17 CVE-2014-0565 Adobe
Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader

Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566.

10.0
2014-09-17 CVE-2014-0561 Adobe
Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader

Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567.

10.0
2014-09-17 CVE-2014-0560 Adobe
Apple
Microsoft
Resource Management Errors vulnerability in Adobe Acrobat and Acrobat Reader

Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors.

10.0
2014-09-19 CVE-2014-4402 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

An unspecified IOAcceleratorFamily function in Apple OS X before 10.9.5 lacks proper bounds checking on read operations, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

9.3
2014-09-19 CVE-2014-4390 Apple Improper Input Validation vulnerability in Apple mac OS X

Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

9.3
2014-09-19 CVE-2006-1318 Microsoft Code Injection vulnerability in Microsoft Office

Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

9.3
2014-09-18 CVE-2014-4418 Apple Improper Input Validation vulnerability in Apple Iphone OS and Tvos

IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4388.

9.3
2014-09-18 CVE-2014-4405 Apple NULL Pointer Dereference Remote Code Execution vulnerability in Apple Iphone OS, mac OS X and Tvos

IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted key-mapping properties.

9.3
2014-09-18 CVE-2014-4404 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.

9.3
2014-09-18 CVE-2014-4389 Apple Numeric Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

Integer overflow in IOKit in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted API arguments.

9.3
2014-09-18 CVE-2014-4388 Apple Improper Input Validation vulnerability in Apple Iphone OS, mac OS X and Tvos

IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4418.

9.3
2014-09-18 CVE-2014-4381 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

Libnotify in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code as root via a crafted application.

9.3
2014-09-18 CVE-2014-4380 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

The IOHIDFamily kernel extension in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code in the kernel's context via a crafted application.

9.3
2014-09-15 CVE-2014-2375 Ecava Permissions, Privileges, and Access Controls vulnerability in Ecava Integraxor

Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

9.0

9 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-17 CVE-2014-4621 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server

EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subtypes of protected system types, which allows remote authenticated users to obtain super-user privileges for system-object creation, and bypass intended restrictions on data access and server actions, via unspecified vectors.

8.5
2014-09-18 CVE-2014-4373 Apple NULL Pointer Dereference Denial of Service vulnerability in Apple Iphone OS, mac OS X and Tvos

The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted application.

7.8
2014-09-18 CVE-2014-4369 Apple NULL Pointer Dereference Denial of Service vulnerability in Apple Iphone OS and Tvos

The IOAcceleratorFamily API implementation in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device crash) via an application that uses crafted arguments.

7.8
2014-09-17 CVE-2014-0563 Adobe
Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader

Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors.

7.8
2014-09-19 CVE-2014-4424 Apple SQL Injection vulnerability in Apple OS X Server

SQL injection vulnerability in Wiki Server in CoreCollaboration in Apple OS X Server before 2.2.3 and 3.x before 3.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2014-09-15 CVE-2014-2376 Ecava SQL Injection vulnerability in Ecava Integraxor

SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2014-09-18 CVE-2014-4375 Apple Local Memory Corruption vulnerability in Apple Iphone OS, mac OS X and Tvos

Double free vulnerability in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (device crash) via vectors related to Mach ports.

7.2
2014-09-18 CVE-2014-4379 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

An unspecified IOHIDFamily function in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking to prevent reading of kernel pointers, which allows attackers to bypass the ASLR protection mechanism via a crafted application.

7.1
2014-09-17 CVE-2014-4622 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server

EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors.

7.1

183 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-19 CVE-2014-4416 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4401.

6.9
2014-09-19 CVE-2014-4401 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4416.

6.9
2014-09-19 CVE-2014-4400 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4401, and CVE-2014-4416.

6.9
2014-09-19 CVE-2014-4399 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.

6.9
2014-09-19 CVE-2014-4398 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.

6.9
2014-09-19 CVE-2014-4397 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.

6.9
2014-09-19 CVE-2014-4396 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.

6.9
2014-09-19 CVE-2014-4395 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.

6.9
2014-09-19 CVE-2014-4394 Apple Improper Input Validation vulnerability in Apple mac OS X

An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.

6.9
2014-09-18 CVE-2014-4408 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

The rt_setgate function in the kernel in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (out-of-bounds read and device crash) via a crafted call.

6.9
2014-09-18 CVE-2014-4368 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS

The Accessibility subsystem in Apple iOS before 8 allows attackers to interfere with screen locking via vectors related to AssistiveTouch events.

6.9
2014-09-20 CVE-2014-0992 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter.

6.8
2014-09-20 CVE-2014-0991 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter.

6.8
2014-09-20 CVE-2014-0990 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter.

6.8
2014-09-20 CVE-2014-0989 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

6.8
2014-09-20 CVE-2014-0988 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

6.8
2014-09-20 CVE-2014-0987 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

6.8
2014-09-20 CVE-2014-0986 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

6.8
2014-09-20 CVE-2014-0985 Advantech Buffer Errors vulnerability in Advantech Webaccess 7.2

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

6.8
2014-09-19 CVE-2014-4350 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.

6.8
2014-09-19 CVE-2014-1391 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

6.8
2014-09-18 CVE-2014-4422 Apple Cryptographic Issues vulnerability in Apple Iphone OS and Tvos

The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, which allows attackers to bypass certain kernel-hardening protection mechanisms by using a user-space process to observe data related to the random numbers.

6.8
2014-09-18 CVE-2014-4415 Apple Buffer Errors vulnerability in Apple Iphone OS, Safari and Tvos

WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.

6.8
2014-09-18 CVE-2014-4414 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.

6.8
2014-09-18 CVE-2014-4413 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.

6.8
2014-09-18 CVE-2014-4412 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.

6.8
2014-09-18 CVE-2014-4411 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.

6.8
2014-09-18 CVE-2014-4410 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.

6.8
2014-09-18 CVE-2014-4377 Apple Numeric Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.

6.8
2014-09-18 CVE-2014-2886 Nongnu Permissions, Privileges, and Access Controls vulnerability in Nongnu Gksu 2.0.2

GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during installation of a VirtualBox extension pack.

6.8
2014-09-15 CVE-2014-0993 Embarcadero Buffer Errors vulnerability in Embarcadero products

Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

6.8
2014-09-18 CVE-2014-4824 IBM SQL Injection vulnerability in IBM Qradar Security Information and Event Manager 7.2.0

SQL injection vulnerability in IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2014-09-17 CVE-2012-2956 Spiceworks SQL Injection vulnerability in Spiceworks 5.3.75941

SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json.

6.5
2014-09-17 CVE-2012-1506 Orangehrm SQL Injection vulnerability in Orangehrm

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php.

6.5
2014-09-20 CVE-2014-3379 Cisco Improper Input Validation vulnerability in Cisco products

Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466.

6.1
2014-09-18 CVE-2014-4378 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document.

5.8
2014-09-18 CVE-2014-4354 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS

Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

5.8
2014-09-20 CVE-2014-5990 Bookjam Cryptographic Issues vulnerability in Bookjam Cookbible 1.0.0

The cookbible (aka net.bookjam.cookbible) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5989 Babydays Cryptographic Issues vulnerability in Babydays Baby Days 1.5.8

The baby days (aka jp.co.cyberagent.babydays) application 1.5.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5988 Getjar Cryptographic Issues vulnerability in Getjar Azkend Gold 1.2.6

The Azkend Gold (aka com.the10tons.azkend.gold) application 1.2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5987 Three Cryptographic Issues vulnerability in Three MY3 @7F0A0001

The My3 - by 3HK (aka com.my3) application @7F0A0001 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5986 Puzzles AND Matchup Games Project Cryptographic Issues vulnerability in Puzzles and Matchup Games Project Educational Puzzles - Letters 2.0

The Educational Puzzles - Letters (aka com.EducationalPuzzlesLetters) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5985 Topappsbuilder Project Cryptographic Issues vulnerability in Topappsbuilder Project Animal Kaiser Zangetsu 0.1

The Animal Kaiser Zangetsu (aka com.wAnimalKaiserZangetsu) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5981 Moweather Cryptographic Issues vulnerability in Moweather 1.40.05

The MoWeather (aka com.moji.moweather) application 1.40.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5980 Genertel Cryptographic Issues vulnerability in Genertel 2.6.0

The Genertel (aka com.genertel) application 2.6.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5979 Tvbengali Cryptographic Issues vulnerability in Tvbengali TV Bengali Open Directory 1.4

The TV Bengali Open Directory (aka com.TVBengali) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5978 Ipposan Cryptographic Issues vulnerability in Ipposan Memetan 1.1.0

The memetan (aka memetan.android.com.activity) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5977 Mobile Face Project Cryptographic Issues vulnerability in Mobile Face Project Mobile Face 0.74.13432.91159

The Mobile Face (aka com.wFacemobile) application 0.74.13432.91159 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5976 Alibaba Cryptographic Issues vulnerability in Alibaba 4.1.0.0

The alibaba (aka com.alibaba.wireless) application 4.1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5975 Grabapp Cryptographic Issues vulnerability in Grabapp Eponyms 3.2

The eponyms (aka com.anddeveloper.eponyms) application 3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5974 Psecu Cryptographic Issues vulnerability in Psecu Mobile+ 2.2

The PSECU Mobile+ (aka com.Vertifi.Mobile.P231381116) application 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5973 Socialknowledge Cryptographic Issues vulnerability in Socialknowledge Aquarium Advice 3.7.6

The Aquarium Advice (aka com.socialknowledge.aquariumadvice) application 3.7.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-5972 Loving FM Cryptographic Issues vulnerability in Loving.Fm Loving - Couple Essential 4.0.1

The Loving - Couple Essential (aka com.xiaoenai.app) application 4.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5970 Babybus Cryptographic Issues vulnerability in Babybus 3.91

The BabyBus (aka com.sinyee.babybus.concert.ru) application 3.91 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5969 Healthylifestyle Project Cryptographic Issues vulnerability in Healthylifestyle Project Healthylifestyle 1.2.2

The healthylifestyle (aka com.alek.healthylifestyle) application 1.2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5968 Igolf Cryptographic Issues vulnerability in Igolf - Golf GPS 20

The iGolf - Golf GPS (aka com.igolf) application 20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5967 Decoracionesnailart Cryptographic Issues vulnerability in Decoracionesnailart Designs Nail Arts 3.6.1

The Designs Nail Arts (aka com.decoracionesnailart.flickr) application 3.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5966 Golauncher Cryptographic Issues vulnerability in Golauncher Dreamland Super Theme GO Gold 1.0

The Dreamland Super Theme GO Gold (aka com.gau.go.launcherex.viptheme.dreamland.gold) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5965 Groovemusic Project Cryptographic Issues vulnerability in Groovemusic Project Groovemusic 2.0.0

The GrooveMusic (aka com.mobincube.android.sc_2HKFF) application 2.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5964 Megabank Cryptographic Issues vulnerability in Megabank 2.0

The MegaBank (aka com.megabank.mobilebank) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5963 Corntree Cryptographic Issues vulnerability in Corntree Halieutics 21.40.5

The Halieutics (aka com.corn.Halieutics) application 21.40.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5962 Gamelikeapps Cryptographic Issues vulnerability in Gamelikeapps Guess the Actor 1.1

The Guess The Actor (aka com.gamelikeinc.actors) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5961 Hdcar Cryptographic Issues vulnerability in Hdcar Russiananime 1

The russiananime (aka com.rareartifact.russiananime68A5CCFE) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5960 KBV Cryptographic Issues vulnerability in KBV Federal Doctors 1.0.1

The BundesArztsuche (aka de.kbv.bas) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5959 Mytx Cryptographic Issues vulnerability in Mytx TX Smart 7.05

The tx Smart (aka com.wooriwm.txsmart) application 7.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-19 CVE-2014-5958 Chatbox Cryptographic Issues vulnerability in Chatbox - Chat Rooms 2.5

The ChatBox - Chat Rooms (aka com.droidchatroom.messengerapp) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5957 Linkyungame Cryptographic Issues vulnerability in Linkyungame Alien WAR Survivors 1.3.1

The Alien War Survivors (aka com.ly.a13.gp) application 1.3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5956 Vplayer Cryptographic Issues vulnerability in Vplayer Video Player 3.2.6

The VPlayer Video Player (aka me.abitno.vplayer.t) application 3.2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5955 Stephenvarga Cryptographic Issues vulnerability in Stephenvarga Atomic Fusion 1.7

The Atomic Fusion (aka com.bytesized.fusion) application 1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5954 SBI Cryptographic Issues vulnerability in SBI State Bank Anywhere 2.0.1

The State Bank Anywhere (aka com.sbi.SBIFreedomPlus) application 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5953 Kaskus Cryptographic Issues vulnerability in Kaskus 2.13.0

The KASKUS (aka com.kaskus.android) application 2.13.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5952 Calarepasoftware Cryptographic Issues vulnerability in Calarepasoftware E-Dziennik 0.5.2

The E-Dziennik (aka com.librus.dziennik) application 0.5.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5951 Sinopac Cryptographic Issues vulnerability in Sinopac 2.4.2

The SinoPac (aka com.sionpac.app.SinoPac) application 2.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5950 Smtown Cryptographic Issues vulnerability in Smtown NOW 0.9.8

The NOW (aka com.smtown.smtownnow.androidapp) application 0.9.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5949 Mobileticketapp Cryptographic Issues vulnerability in Mobileticketapp Ticket APP - Concerts & Sports 3.0.1

The TICKET APP - Concerts & Sports (aka com.xcr.android.ticketapp) application 3.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5948 Barackobama Cryptographic Issues vulnerability in Barackobama Obama for America 1.02

The Obama for America (aka com.barackobama.ofa) application 1.02 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5947 Psicofxp Cryptographic Issues vulnerability in Psicofxp 2.4.12.15

The psicofxp (aka com.tapatalk.psicofxpcom) application 2.4.12.15 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5946 Hawaaworld Cryptographic Issues vulnerability in Hawaaworld Forumhawaaworldcom 3.4.12

The forumhawaaworldcom (aka com.tapatalk.forumhawaaworldcom) application 3.4.12 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5945 Edline Mobile Project Cryptographic Issues vulnerability in Edline Mobile Project Edline Mobile 0.63.13369.34294

The Edline Mobile (aka com.wEdlineFree) application 0.63.13369.34294 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5944 Jellyfisher Cryptographic Issues vulnerability in Jellyfisher Soccer Blitz 1.06

The Soccer Blitz (aka soccer.blitz) application 1.06 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5943 Labmsf Cryptographic Issues vulnerability in Labmsf Antivirus Beta 1.0.2

The LabMSF Antivirus beta (aka com.ReSync.RNGN) 1.0.2 application Beta for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5942 Baby Stomach Surgery Project Cryptographic Issues vulnerability in Baby Stomach Surgery Project Baby Stomach Surgery 1.0.2

The Baby Stomach Surgery (aka com.harriskerioe.stomachsurgery) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5941 Armpit SPA Girl Games Project Cryptographic Issues vulnerability in Armpit SPA & Girl Games Project Armpit SPA & Girl Games 1.0.2

The Armpit Spa & Girl Games (aka com.freegames.spamakeover) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5940 Pocketpc Cryptographic Issues vulnerability in Pocketpc Pocketpc.Ch 3.9.51

The PocketPC.ch (aka com.tapatalk.pocketpcch) application 3.9.51 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5939 Travelzad Cryptographic Issues vulnerability in Travelzad Travelzadcomvb 3.3.10

The travelzadcomvb (aka com.tapatalk.travelzadcomvb) application 3.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5938 Alldealsasia Cryptographic Issues vulnerability in Alldealsasia ALL Deals ADA APP 4.2.1

The AllDealsAsia All Deals ADA app (aka com.ada.deals) application 4.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5937 Freediyhomeimprovement Cryptographic Issues vulnerability in Freediyhomeimprovement Social Networking 0.33.13320.99980

The Social Networking (aka com.wSocialNetworkingSites) application 0.33.13320.99980 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5936 Incognito Private Browser Project Cryptographic Issues vulnerability in Incognito Private Browser Project Incognito Private Browser 1.4.0

The INCOgnito Private Browser (aka com.SL.InCoBrowser) application 1.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5935 Daily Free APP Amazon Project Cryptographic Issues vulnerability in Daily Free APP @ Amazon Project Daily Free APP @ Amazon 1.5.2

The Daily Free App @ Amazon (aka com.kattanweb.android.dfaa) application 1.5.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5934 Skout Cryptographic Issues vulnerability in Skout Flurv Chat 4.3.3

The Flurv Chat (aka com.flurv.android) application 4.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5933 Cokestudio Cryptographic Issues vulnerability in Cokestudio Cokestudio7 1

The Coke Studio 7 (aka com.cokeshare.pakistan) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5932 Vodafone Cryptographic Issues vulnerability in Vodafone Mobile@Work 6.0.0.1.12R

The Vodafone Mobile@Work (aka com.mobileiron.vodafone.MIClient) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5931 Stopandshop Cryptographic Issues vulnerability in Stopandshop Stop & Shop Scan It! Mobile 7.21.00

The Stop & Shop SCAN IT! Mobile (aka com.modivmedia.scanitss) application 7.21.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5930 Singtel Cryptographic Issues vulnerability in Singtel Store and Share 2.0.18

The Store and Share (aka sg.com.singnet.mystorage.android) application 2.0.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5929 Emart Cryptographic Issues vulnerability in Emart Emartmall 1.3.3

The emartmall (aka kr.co.emart.emartmall) application 1.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5928 Steganos Cryptographic Issues vulnerability in Steganos Online Shield VPN 1.0.3

The Steganos Online Shield VPN (aka com.steganos.onlineshield) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5927 Fastcustomer Cryptographic Issues vulnerability in Fastcustomer -- Fast Customer 3

The FastCustomer -- Fast Customer (aka www.fastcustomer.com) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5926 DCU Cryptographic Issues vulnerability in DCU Mobile Banking 2

The DCU Mobile Banking (aka com.Vertifi.Mobile.P211391825) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5925 Musicjustnow Cryptographic Issues vulnerability in Musicjustnow 10000 Kindle Books Downloads 0.312

The 10000 Kindle Books Downloads (aka com.ww10000KindleBooksLatestnBestSellers) application 0.312 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5924 Bearhugmedia Cryptographic Issues vulnerability in Bearhugmedia Monster Makeup 1.0.0.0

The Monster Makeup (aka com.bearhugmedia.android_monster) application 1.0.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5923 Statusvia Cryptographic Issues vulnerability in Statusvia Facebook Status VIA 3.5

The Facebook Status Via (aka com.StatusViaAdvanced) application 3.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5922 Ga6748 Project Cryptographic Issues vulnerability in Ga6748 Project Ga6748 1

The ga6748 (aka com.g.ga6748) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5921 EA Cryptographic Issues vulnerability in EA Need for Speed Network 1.0.1

The Need for Speed Network (aka com.ea.nfsautolog.bv) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5920 Amberfog Cryptographic Issues vulnerability in Amberfog VK Amberfog 3.5.6

The VK Amberfog (aka com.amberfog.vkfree) application 3.5.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-18 CVE-2014-5919 Surdoc Cryptographic Issues vulnerability in Surdoc - 100Gb+ Free Storage 1.3.4.0

The SurDoc - 100GB+ FREE storage (aka com.jd.surdoc) application 1.3.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5918 Secretcircle Cryptographic Issues vulnerability in Secretcircle Secret Circle - Talk Freely 2.2.00.26

The Secret Circle - talk freely (aka com.easyxapp.secret) application 2.2.00.26 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5917 Grassapper Cryptographic Issues vulnerability in Grassapper Slideshow 365 3.6

The Slideshow 365 (aka com.Slideshow) application 3.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5916 OI Cryptographic Issues vulnerability in OI Minha OI 1.15.0

The Minha Oi (aka br.com.mobicare.minhaoi) application 1.15.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5915 Tigo Cryptographic Issues vulnerability in Tigo Copa Mundial Fifa 2014 3.1

The Tigo Copa Mundial FIFA 2014 (aka com.fwc2014.millicom.and) application 3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5914 Finansbank Cryptographic Issues vulnerability in Finansbank CEP Subesi 1.1.5

The Finansbank Cep Subesi (aka com.finansbank.mobile.cepsube) application 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5913 Game Lion Cryptographic Issues vulnerability in Game-Lion Allies in WAR 1.3.2

The Allies in War (aka com.gamelion.aiw) application 1.3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5912 Intsig Cryptographic Issues vulnerability in Intsig Innote 1.0.3.20131119

The InNote (aka com.intsig.notes) application 1.0.3.20131119 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5911 Jellytap Cryptographic Issues vulnerability in Jellytap Free APP Icons & Icon Packs 1.4

The Free App Icons & Icon Packs (aka com.jellytap.cooliconfinder) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5910 DOG Whistle Project Cryptographic Issues vulnerability in DOG Whistle Project DOG Whistle 1.9

The Dog Whistle (aka com.dogwhistle.dogtrainingandroidapp) application 1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5909 Watcha Cryptographic Issues vulnerability in Watcha 2.0.2

The watcha (aka com.frograms.watcha) application 2.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5908 Kmart Cryptographic Issues vulnerability in Kmart @7F0C00Ef

The Kmart (aka com.kmart.android) application @7F0C00EF for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5907 Libiitech Cryptographic Issues vulnerability in Libiitech PET Salon 1.0.1

The Pet Salon (aka com.libiitech.petsalon) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-17 CVE-2014-5906 Youngmoney Cryptographic Issues vulnerability in Youngmoney LIL Wayne Slots: Free Slots 1.138

The Lil Wayne Slots: FREE SLOTS (aka com.lilwayneslots.slots.android) application 1.138 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5905 Meucarrinho Cryptographic Issues vulnerability in Meucarrinho Grocery List - Tomatoes 5.1.4

The Grocery List - Tomatoes (aka com.meucarrinho) application 5.1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5904 Miniinthebox Cryptographic Issues vulnerability in Miniinthebox Online Shopping 2.0.0

The MiniInTheBox Online Shopping (aka com.miniinthebox.android) application 2.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5903 Mobileiron Cryptographic Issues vulnerability in Mobileiron Mobile@Work 6.0.0.1.12R

The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5902 Uacinemas Cryptographic Issues vulnerability in Uacinemas UA Cinemas - Mobile Ticketing 2.9

The UA Cinemas - Mobile ticketing (aka com.mtel.uacinemaapps) application 2.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5901 Webelinx Cryptographic Issues vulnerability in Webelinx Beauty Bible - APP for Girls 5

The Beauty Bible - App for Girls (aka com.my.beauty.bible) application 5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5900 Myhomeworkapp Cryptographic Issues vulnerability in Myhomeworkapp Myhomework Student Planner 3.0.2

The myHomework Student Planner (aka com.myhomeowork) application 3.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5899 Nespresso Cryptographic Issues vulnerability in Nespresso 2.4.1

The Nespresso (aka com.nespresso.activities) application 2.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5898 Heavy Duty Truck Driver Simulator 3D Project Cryptographic Issues vulnerability in Heavy Duty Truck Driver Simulator 3D Project Heavy Duty Truck Driver Simulator 3D 1.0.5

The Heavy Duty Truck Driver Simulator 3D (aka com.oas.heavy.duty.truck.driver.simulator3d) application 1.0.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5897 Parallelmafia Cryptographic Issues vulnerability in Parallelmafia Parallel Mafia Mmorpg @7F070000

The Parallel Mafia MMORPG (aka com.perblue.pm.client) application @7F070000 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5896 Seawolftech Cryptographic Issues vulnerability in Seawolftech Globaltalk- Free Phone Calls 2.1.4

The GlobalTalk- free phone calls (aka com.seawolftech.globaltalk) application 2.1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5895 Shopyourway Cryptographic Issues vulnerability in Shopyourway 1.9

The ShopYourWay (aka com.sears.shopyourway) application 1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5894 Pingshow Cryptographic Issues vulnerability in Pingshow Airetalk Text Call & More! 2.0.73

The AireTalk: Text, Call, & More! (aka com.pingshow.amper) application 2.0.73 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5893 Shinsegaemall Cryptographic Issues vulnerability in Shinsegaemall Froyo 5.1.3

The froyo (aka com.shinsegae.mobile.froyo) application 5.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5892 Olleh Cryptographic Issues vulnerability in Olleh Greenbill 2.0.3

The greenbill (aka com.show.greenbill_G) application 2.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5891 Snipsnap Cryptographic Issues vulnerability in Snipsnap Coupon APP 1.1.11

The SnipSnap Coupon App (aka com.snipsnap.snipsnapapp) application 1.1.11 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5890 Sports2I Cryptographic Issues vulnerability in Sports2I KBO Sports2I 2014 5.1.00

The KBO sports2i 2014 (aka com.sports2i) application 5.1.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-15 CVE-2014-5889 Androidforums Cryptographic Issues vulnerability in Androidforums Forum for Android 2.4.4.9

The Android Forums (aka com.tapatalk.androidforumscom) application 2.4.4.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-20 CVE-2014-6432 Wireshark Resource Management Errors vulnerability in Wireshark

The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file.

5.0
2014-09-20 CVE-2014-6431 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

Buffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer.

5.0
2014-09-20 CVE-2014-6430 Wireshark Improper Input Validation vulnerability in Wireshark

The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.

5.0
2014-09-20 CVE-2014-6429 Wireshark Improper Input Validation vulnerability in Wireshark

The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.

5.0
2014-09-20 CVE-2014-6428 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

The dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

5.0
2014-09-20 CVE-2014-6427 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

Off-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position.

5.0
2014-09-20 CVE-2014-6426 Wireshark Resource Management Errors vulnerability in Wireshark 1.12.0

The dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HIP dissector in Wireshark 1.12.x before 1.12.1 does not properly handle a NULL tree, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.

5.0
2014-09-20 CVE-2014-6425 Wireshark Buffer Errors vulnerability in Wireshark 1.12.0

The (1) get_quoted_string and (2) get_unquoted_string functions in epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark 1.12.x before 1.12.1 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a CUPS packet that lacks a trailing '\0' character.

5.0
2014-09-20 CVE-2014-6424 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

The dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet.

5.0
2014-09-20 CVE-2014-6423 Wireshark Resource Management Errors vulnerability in Wireshark

The tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line.

5.0
2014-09-20 CVE-2014-6422 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

The SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector.

5.0
2014-09-20 CVE-2014-6421 Wireshark Remote Denial of Service vulnerability in Wireshark RTP Dissector

Use-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors.

5.0
2014-09-20 CVE-2014-3378 Cisco Improper Input Validation vulnerability in Cisco IOS XR

tacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468.

5.0
2014-09-20 CVE-2014-3376 Cisco Improper Input Validation vulnerability in Cisco IOS XR

Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031.

5.0
2014-09-19 CVE-2014-3614 Powerdns Remote Denial of Service vulnerability in Powerdns Recursor 3.6.0

Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

5.0
2014-09-18 CVE-2014-5413 Aveva
Schneider Electric
Cryptographic Issues vulnerability in multiple products

Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 uses the MD5 algorithm for an X.509 certificate, which makes it easier for remote attackers to spoof servers via a cryptographic attack against this algorithm.

5.0
2014-09-18 CVE-2014-5412 Aveva
Schneider Electric
Permissions, Privileges, and Access Controls vulnerability in multiple products

Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account.

5.0
2014-09-18 CVE-2014-4374 Apple XML External Entity Information Disclosure vulnerability in Apple Iphone OS and mac OS X

NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

5.0
2014-09-18 CVE-2014-4366 Apple Credentials Management vulnerability in Apple Iphone OS

Mail in Apple iOS before 8 does not prevent sending a LOGIN command to a LOGINDISABLED IMAP server, which allows remote attackers to obtain sensitive cleartext information by sniffing the network.

5.0
2014-09-18 CVE-2014-4363 Apple Credentials Management vulnerability in Apple Iphone OS and Safari

Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which allows remote attackers to obtain sensitive information via (1) an http web site, (2) an https web site with an unacceptable X.509 certificate, or (3) an IFRAME element.

5.0
2014-09-18 CVE-2014-4362 Apple Information Exposure vulnerability in Apple Iphone OS

The Sandbox Profiles implementation in Apple iOS before 8 does not properly restrict the third-party app sandbox profile, which allows attackers to obtain sensitive Apple ID information via a crafted app.

5.0
2014-09-18 CVE-2014-4361 Apple Information Exposure vulnerability in Apple Iphone OS

The Home & Lock Screen subsystem in Apple iOS before 8 does not properly restrict the private API for app prominence, which allows attackers to determine the frontmost app by leveraging access to a crafted background app.

5.0
2014-09-15 CVE-2014-3796 Vmware Improper Input Validation vulnerability in VMWare NSX and Vcloud Networking and Security

VMware NSX 6.0 before 6.0.6, and vCloud Networking and Security (vCNS) 5.1 before 5.1.4.2 and 5.5 before 5.5.3, does not properly validate input, which allows attackers to obtain sensitive information via unspecified vectors.

5.0
2014-09-15 CVE-2014-2377 Ecava Information Exposure vulnerability in Ecava Integraxor

Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

5.0
2014-09-15 CVE-2014-5407 Schneider Electric Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Schneider-Electric Vampset

Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file.

4.4
2014-09-20 CVE-2014-3367 Cisco Cross-Site Scripting vulnerability in Cisco Nexus 1000V Intercloud

Cross-site scripting (XSS) vulnerability in the vCloud Director component in Cisco Nexus 1000V InterCloud for VMware allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq90524.

4.3
2014-09-19 CVE-2012-6659 Phorum Cross-Site Scripting vulnerability in Phorum

Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2014-09-19 CVE-2012-2588 Mailenable Cross-Site Scripting vulnerability in Mailenable 6.5

Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

4.3
2014-09-19 CVE-2014-4406 Apple Cross-Site Scripting vulnerability in Apple OS X Server

Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-09-18 CVE-2014-5317 Php365 Cross-Site Scripting vulnerability in PHP365 products

Cross-site scripting (XSS) vulnerability in php365.com 365 Links 3.11 and earlier, 365 Links2 3.11 and earlier, 365 Links+ 2.10 and earlier, and 365 Links2+ 2.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-09-18 CVE-2014-4826 IBM Information Exposure vulnerability in IBM Qradar Security Information and Event Manager 7.2.0

IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 does not properly handle SSH connections, which allows remote attackers to obtain sensitive cleartext information by sniffing the network.

4.3
2014-09-18 CVE-2014-4820 IBM Cross-Site Scripting vulnerability in IBM Integration BUS Manufacturing Pack 1.0.0.0

Cross-site scripting (XSS) vulnerability in IBM Integration Bus Manufacturing Pack 1.x before 1.0.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-09-18 CVE-2014-4423 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS

The Accounts subsystem in Apple iOS before 8 allows attackers to bypass a sandbox protection mechanism and obtain an active iCloud account's Apple ID and metadata via a crafted application.

4.3
2014-09-18 CVE-2014-4409 Apple Information Exposure vulnerability in Apple Iphone OS

WebKit in Apple iOS before 8 makes it easier for remote attackers to track users during private browsing via a crafted web site that reads HTML5 application-cache data that had been stored during normal browsing.

4.3
2014-09-18 CVE-2014-4407 Apple Information Exposure vulnerability in Apple Iphone OS, mac OS X and Tvos

IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls.

4.3
2014-09-18 CVE-2014-4383 Apple Improper Input Validation vulnerability in Apple Iphone OS and Tvos

The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device's update status via a crafted Last-Modified HTTP response header.

4.3
2014-09-18 CVE-2014-4353 Apple Race Condition vulnerability in Apple Iphone OS

Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

4.3
2014-09-17 CVE-2012-6658 Spiceworks Cross-Site Scripting vulnerability in Spiceworks 5.3.75941

Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf.

4.3
2014-09-17 CVE-2014-5235 Open Xchange Cross-Site Scripting vulnerability in Open-Xchange Appsuite

Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds.

4.3
2014-09-17 CVE-2014-5234 Open Xchange Cross-Site Scripting vulnerability in Open-Xchange Appsuite

Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name.

4.3
2014-09-17 CVE-2012-2583 Mini Mail Dashboard Widget Project Cross-Site Scripting vulnerability in Mini Mail Dashboard Widget Project Mini Mail Dashboard Widget 1.42

Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

4.3
2014-09-17 CVE-2012-1507 Orangehrm Cross-Site Scripting vulnerability in Orangehrm

Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.

4.3
2014-09-17 CVE-2012-1032 Siteseeker
Episerver
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-09-17 CVE-2014-0562 Adobe
Apple
Microsoft
Cross-Site Scripting vulnerability in Adobe Acrobat and Acrobat Reader

Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

4.3
2014-09-15 CVE-2014-6392 Facebook Cross-Site Scripting vulnerability in Facebook and Facebook Messenger

** DISPUTED ** Cross-site scripting (XSS) vulnerability in the Facebook app 14.0 and the Facebook Messenger app 10.0 for iOS allows remote attackers to inject arbitrary web script or HTML via a crafted filename extension that is improperly handled during MIME sniffing of chat traffic.

4.3
2014-09-20 CVE-2014-3377 Cisco Improper Input Validation vulnerability in Cisco IOS XR

snmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791.

4.0
2014-09-18 CVE-2014-4819 IBM Information Exposure vulnerability in IBM Integration BUS and Websphere Message Broker

The web user interface in IBM WebSphere Message Broker 8.0 before 8.0.0.6 and IBM Integration Bus 9.0 before 9.0.0.3 allows remote authenticated users to obtain sensitive information by reading the error page.

4.0
2014-09-15 CVE-2014-3617 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle

The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum.

4.0

17 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-18 CVE-2014-4372 Apple Link Following vulnerability in Apple Iphone OS and Tvos

syslogd in the syslog subsystem in Apple iOS before 8 and Apple TV before 7 allows local users to change the permissions of arbitrary files via a symlink attack on an unspecified file.

3.6
2014-09-18 CVE-2014-5411 Aveva
Schneider Electric
Cross-Site Scripting vulnerability in multiple products

Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2014-09-17 CVE-2012-1417 Yealink Cross-Site Scripting vulnerability in Yealink products

Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

3.5
2014-09-15 CVE-2014-4763 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in Content Navigator in Content Engine in IBM FileNet Content Manager 5.2.x before 5.2.0.3-P8CPE-IF003 and Content Foundation 5.2.x before 5.2.0.3-P8CPE-IF003 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2014-09-18 CVE-2014-4364 Apple Cryptographic Issues vulnerability in Apple Iphone OS and Tvos

The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash.

2.9
2014-09-19 CVE-2014-4403 Apple Information Exposure vulnerability in Apple mac OS X

The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table.

2.1
2014-09-18 CVE-2014-4367 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS

Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physically proximate attackers to launch unintended calls by speaking a telephone number.

2.1
2014-09-18 CVE-2014-4357 Apple Information Exposure vulnerability in Apple Iphone OS and Tvos

Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log.

2.1
2014-09-18 CVE-2014-4356 Apple Information Exposure vulnerability in Apple Iphone OS

Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

2.1
2014-09-18 CVE-2014-4352 Apple Cryptographic Issues vulnerability in Apple Iphone OS

Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

2.1
2014-09-15 CVE-2014-3077 IBM Information Exposure vulnerability in IBM products

IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

2.1
2014-09-18 CVE-2014-4421 Apple Security vulnerability in Apple Iphone OS, mac OS X and Tvos

The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4420.

1.9
2014-09-18 CVE-2014-4420 Apple Security vulnerability in Apple Iphone OS, mac OS X and Tvos

The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4421.

1.9
2014-09-18 CVE-2014-4419 Apple Security vulnerability in Apple Iphone OS, mac OS X and Tvos

The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4420, and CVE-2014-4421.

1.9
2014-09-18 CVE-2014-4386 Apple Race Condition vulnerability in Apple Iphone OS

Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain privileges and install unverified apps by leveraging /tmp write access.

1.9
2014-09-18 CVE-2014-4384 Apple Path Traversal vulnerability in Apple Iphone OS

Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local users to install unverified apps by triggering code-signature validation of an unintended bundle.

1.9
2014-09-18 CVE-2014-4371 Apple Improper Initialization vulnerability in Apple Iphone OS, mac OS X and Tvos

The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4419, CVE-2014-4420, and CVE-2014-4421.

1.9