Weekly Vulnerabilities Reports > September 29 to October 5, 2014

Overview

263 new vulnerabilities reported during this period, including 8 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 307 products from 196 vendors including Plone, IBM, Debian, Redhat, and Cisco. Vulnerabilities are notably categorized as "Cryptographic Issues", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Improper Input Validation", and "Information Exposure".

  • 98 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 32 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 247 reported vulnerabilities are exploitable by an anonymous user.
  • Plone has the most reported vulnerabilities, with 22 reported vulnerabilities.
  • IBM has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

8 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-10-03 CVE-2014-0754 Schneider Electric Path Traversal vulnerability in Schneider-Electric products

Directory traversal vulnerability in SchneiderWEB on Schneider Electric Modicon PLC Ethernet modules 140CPU65x Exec before 5.5, 140NOC78x Exec before 1.62, 140NOE77x Exec before 6.2, BMXNOC0401 before 2.05, BMXNOE0100 before 2.9, BMXNOE0110x Exec before 6.0, TSXETC101 Exec before 2.04, TSXETY4103x Exec before 5.7, TSXETY5103x Exec before 5.9, TSXP57x ETYPort Exec before 5.7, and TSXP57x Ethernet Copro Exec before 5.5 allows remote attackers to visit arbitrary resources via a crafted HTTP request.

10.0
2014-10-03 CVE-2014-4823 IBM OS Command Injection vulnerability in IBM products

The administration console in IBM Security Access Manager for Web 7.x before 7.0.0-ISS-WGA-IF0009 and 8.x before 8.0.0-ISS-WGA-FP0005, and Security Access Manager for Mobile 8.x before 8.0.0-ISS-ISAM-FP0005, allows remote attackers to inject system commands via unspecified vectors.

10.0
2014-10-02 CVE-2014-3060 IBM Local Information Disclosure vulnerability in IBM products

Unspecified vulnerability on the IBM WebSphere DataPower XC10 appliance 2.5 allows remote attackers to obtain administrative privileges by leveraging access to an eXtreme Scale distributed ObjectGrid network and capturing a session cookie.

10.0
2014-10-02 CVE-2014-3059 IBM Local Information Disclosure vulnerability in IBM products

Unspecified vulnerability in the Administrative Console on the IBM WebSphere DataPower XC10 appliance 2.5 allows remote attackers to obtain administrative privileges by leveraging access to an eXtreme Scale distributed ObjectGrid network.

10.0
2014-09-30 CVE-2014-6278 GNU OS Command Injection vulnerability in GNU Bash

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

10.0
2014-10-05 CVE-2014-7861 Apple Improper Input Validation vulnerability in Apple mac OS X

The IOHIDSecurePromptClient function in Apple OS X does not properly validate pointer values, which allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a crafted web site.

9.3
2014-09-29 CVE-2013-2100 Gentoo Cryptographic Issues vulnerability in Gentoo Portage 2.1.12

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate.

9.3
2014-09-29 CVE-2013-3632 Openmediavault Permissions, Privileges, and Access Controls vulnerability in Openmediavault

The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.

9.0

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-30 CVE-2012-5493 Plone Code Injection vulnerability in Plone

gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.

8.5
2014-09-30 CVE-2012-5487 Plone Permissions, Privileges, and Access Controls vulnerability in Plone

The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

8.5
2014-10-02 CVE-2014-7188 XEN Resource Management Errors vulnerability in XEN

The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation, which allows local HVM guests to cause a denial of service (host crash) or read data from the hypervisor or other guests via unspecified vectors.

8.3
2014-09-29 CVE-2013-3092 Belkin Improper Authentication vulnerability in Belkin N300 and N300 Firmware

The Belkin N300 (F7D7301v1) router allows remote attackers to bypass authentication and gain privileges via vectors related to incorrect validation of the HTTP Authorization header.

8.3
2014-10-05 CVE-2014-3396 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

Cisco IOS XR on ASR 9000 devices does not properly use compression for port-range and address-range encoding, which allows remote attackers to bypass intended Typhoon line-card ACL restrictions via transit traffic, aka Bug ID CSCup30133.

7.5
2014-10-03 CVE-2014-6298 MM Forum Project Code Injection vulnerability in MM Forum Project MM Forum

Unrestricted file upload vulnerability in the mm_forum extension before 1.9.3 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.

7.5
2014-10-03 CVE-2014-6295 WEC MAP Project SQL Injection vulnerability in WEC MAP Project WEC MAP 3.0.0/3.0.1/3.0.2

SQL injection vulnerability in the WEC Map (wec_map) extension before 3.0.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2014-10-03 CVE-2014-6293 Kennziffer SQL Injection vulnerability in Kennziffer Statistics

SQL injection vulnerability in the Statistics (ke_stats) extension before 1.1.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in February 2014.

7.5
2014-10-03 CVE-2014-6290 News Project Improper Input Validation vulnerability in News Project News

The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue.

7.5
2014-10-03 CVE-2014-6289 Daniel Lienert
Michael Knoll
Permissions, Privileges, and Access Controls vulnerability in multiple products

The Ajax dispatcher for Extbase in the Yet Another Gallery (yag) extension before 3.0.1 and Tools for Extbase development (pt_extbase) extension before 1.5.1 allows remote attackers to bypass access restrictions and execute arbitrary controller actions via unspecified vectors.

7.5
2014-10-03 CVE-2014-6288 Alex Kellner Permissions, Privileges, and Access Controls vulnerability in Alex Kellner Powermail

The powermail extension 2.x before 2.0.11 for TYPO3 allows remote attackers to bypass the CAPTCHA protection mechanism via unspecified vectors.

7.5
2014-10-03 CVE-2014-3947 Alex Kellner Code Injection vulnerability in Alex Kellner Powermail

Unrestricted file upload vulnerability in the powermail extension before 1.6.11 and 2.x before 2.0.14 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with a crafted extension, then accessing it via unspecified vectors.

7.5
2014-10-01 CVE-2003-1598 Wordpress SQL Injection vulnerability in Wordpress

SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

7.5
2014-09-30 CVE-2014-6051 Redhat
Fedoraproject
Libvncserver
Debian
Oracle
Numeric Errors vulnerability in multiple products

Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow.

7.5
2014-09-29 CVE-2014-3811 Juniper Permissions, Privileges, and Access Controls vulnerability in Juniper products

Juniper Installer Service (JIS) Client 7.x before 7.4R6 for Windows and Junos Pulse Client before 4.0R6 allows local users to gain privileges via unspecified vectors.

7.2
2014-10-03 CVE-2014-5410 Rockwellautomation Resource Management Errors vulnerability in Rockwellautomation AB Micrologix Controller 1400

The DNP3 feature on Rockwell Automation Allen-Bradley MicroLogix 1400 1766-Lxxxxx A FRN controllers 7 and earlier and 1400 1766-Lxxxxx B FRN controllers before 15.001 allows remote attackers to cause a denial of service (process disruption) via malformed packets over (1) an Ethernet network or (2) a serial line.

7.1
2014-10-03 CVE-2014-4809 IBM Remote Denial of Service vulnerability in IBM products

The WebSEAL component in IBM Security Access Manager for Web 7.x before 7.0.0-ISS-WGA-IF0009 and 8.x before 8.0.0-ISS-WGA-FP0005, when e-community SSO is enabled, allows remote attackers to cause a denial of service (component hang) via unspecified vectors.

7.1
2014-09-29 CVE-2013-3066 Linksys Permissions, Privileges, and Access Controls vulnerability in Linksys Ea6500 and Ea6500 Firmware

Linksys EA6500 with firmware 1.1.28.147876 does not properly restrict access, which allows remote attackers to obtain sensitive information (clients and router configuration) via a request to /JNAP/.

7.1

230 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-10-03 CVE-2014-6299 MM Forum Project Cross-Site Request Forgery (CSRF) vulnerability in MM Forum Project MM Forum

Cross-site request forgery (CSRF) vulnerability in the mm_forum extension before 1.9.3 for TYPO3 allows remote attackers to hijack the authentication of users for requests that create posts via unspecified vectors.

6.8
2014-10-02 CVE-2014-7158 Exinda Cross-Site Request Forgery (CSRF) vulnerability in Exinda WAN Optimization Suite 7.0.0

Cross-site request forgery (CSRF) vulnerability in Exinda WAN Optimization Suite 7.0.0 (2160) allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a request to admin/launch.

6.8
2014-09-30 CVE-2014-7190 Openfiler Cross-Site Request Forgery (CSRF) vulnerability in Openfiler 2.99.1

Multiple cross-site request forgery (CSRF) vulnerabilities in Openfiler 2.99.1 allow remote attackers to hijack the authentication of administrators for requests that (1) shutdown or (2) reboot the server via a request to admin/system_shutdown.html.

6.8
2014-09-30 CVE-2014-6273 Debian Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Debian Advanced Package Tool

Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and earlier allows man-in-the-middle attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted URL.

6.8
2014-09-30 CVE-2014-5267 Drupal Permissions, Privileges, and Access Controls vulnerability in Drupal

modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.

6.8
2014-09-30 CVE-2012-5485 Plone Code Injection vulnerability in Plone

registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

6.8
2014-09-29 CVE-2013-3089 Belkin Cross-Site Request Forgery (CSRF) vulnerability in Belkin N300 and N300 Firmware

Cross-site request forgery (CSRF) vulnerability in apply.cgi in Belkin N300 (F7D7301v1) router allows remote attackers to hijack the authentication of administrators for requests that modify configuration.

6.8
2014-09-29 CVE-2013-3086 Belkin Cross-Site Request Forgery (CSRF) vulnerability in Belkin N900 and N900 Firmware

Cross-site request forgery (CSRF) vulnerability in util_system.html in Belkin N900 router allows remote attackers to hijack the authentication of administrators for requests that change configuration settings including passwords and remote management ports.

6.8
2014-09-29 CVE-2013-3083 Belkin Cross-Site Request Forgery (CSRF) vulnerability in Belkin F5D8236-4 V2

Cross-site request forgery (CSRF) vulnerability in cgi-bin/system_setting.exe in Belkin F5D8236-4 v2 allows remote attackers to hijack the authentication of administrators for requests that open the remote management interface on arbitrary ports via the remote_mgmt_enabled and remote_mgmt_port parameters.

6.8
2014-09-29 CVE-2013-3068 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Linksys Wrt310N Router Firmware and Linksys Wrt350N

Cross-site request forgery (CSRF) vulnerability in apply.cgi in Linksys WRT310Nv2 2.0.0.1 allows remote attackers to hijack the authentication of administrators for requests that change passwords and modify remote management ports.

6.8
2014-09-29 CVE-2013-3064 Linksys Open Redirection vulnerability in Linksys Ea6500 and Ea6500 Firmware

Open redirect vulnerability in ui/dynamic/unsecured.html in Linksys EA6500 with firmware 1.1.28.147876 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the target parameter.

6.8
2014-10-05 CVE-2014-2643 HP Remote Privilege Escalation vulnerability in HP Systems Insight Manager

Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7.4 allows remote authenticated users to gain privileges via unknown vectors.

6.5
2014-10-02 CVE-2014-6242 Tips AND Tricks HQ SQL Injection vulnerability in Tips and Tricks HQ ALL in ONE Wordpress Security and Firewall 3.8.2

Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php.

6.5
2014-10-02 CVE-2014-4793 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Websphere MQ 8.0.0.0

IBM WebSphere MQ 8.x before 8.0.0.1 does not properly enforce CHLAUTH rules for blocking client connections in certain circumstances related to the CONNAUTH attribute, which allows remote authenticated users to bypass intended queue-manager access restrictions via unspecified vectors.

6.5
2014-10-01 CVE-2012-0811 Postfix SQL Injection vulnerability in Postfix

Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files generated by backup.php.

6.5
2014-09-30 CVE-2014-6055 Fedoraproject
Debian
Redhat
Libvncserver
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message.

6.5
2014-09-30 CVE-2012-5489 Plone
Zope
Permissions, Privileges, and Access Controls vulnerability in multiple products

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

6.5
2014-10-03 CVE-2014-6292 In2Code Unspecified vulnerability in In2Code Femanager

The femanager extension before 1.0.9 for TYPO3 allows remote frontend users to modify or delete the records of other frontend users via unspecified vectors.

6.4
2014-09-30 CVE-2012-5486 Plone
Zope
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
6.4
2014-10-02 CVE-2014-7154 Fedoraproject
Debian
XEN
Opensuse
Race Condition vulnerability in multiple products

Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors.

6.1
2014-10-02 CVE-2014-2641 HP Cross-Site Request Forgery (CSRF) vulnerability in HP System Management Homepage

Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

6.0
2014-10-02 CVE-2014-7155 XEN
Debian
Fedoraproject
Opensuse
Permissions, Privileges, and Access Controls vulnerability in multiple products

The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction.

5.8
2014-10-04 CVE-2014-6933 Wavea Cryptographic Issues vulnerability in Wavea Toraware Takojyou 1.3

The Toraware Takojyou (aka ltd.pte.wavea.torawaretakojyou) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6932 ALL Navalny Project Cryptographic Issues vulnerability in ALL Navalny Project ALL Navalny 1.1

The All Navalny (aka com.all.navalny) application 1.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6931 Myapp Cryptographic Issues vulnerability in Myapp Treves Dance Center 1

The Treves Dance Center (aka com.myapphone.android.myapptrvesdancecenter) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6930 Nobexrc Cryptographic Issues vulnerability in Nobexrc Abram Radio Groove! 3.2.3

The Abram Radio Groove! (aka com.nobexinc.wls_79226887.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6929 Core Apps Cryptographic Issues vulnerability in Core-Apps Aihce 2014 6.1.0.0

The AIHce 2014 (aka com.coreapps.android.followme.aihce2014) application 6.1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6928 Rastreadordecelulares Cryptographic Issues vulnerability in Rastreadordecelulares Rastreador DE Celulares 5.0.0

The Rastreador de Celulares (aka com.mobincube.android.sc_9KTH8) application 5.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6927 Myanmars Cryptographic Issues vulnerability in Myanmars Myanmar Housing : Mmhome 1.3

The Myanmar Housing : mmHome (aka com.mmhome3) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6926 Paperton Cryptographic Issues vulnerability in Paperton Allt OM Brollop 1.53

The Allt om Brollop (aka com.paperton.wl.alltombrollop) application 1.53 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6925 Gcspublishing Cryptographic Issues vulnerability in Gcspublishing Steyr Forum 3.9.12

The Steyr Forum (aka com.tapatalk.steyrclubcomvb) application 3.9.12 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6924 Metroseoul Cryptographic Issues vulnerability in Metroseoul Metro News 1.6.5

The Metro News (aka com.netpia.ha.metro) application 1.6.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6923 Mobitrips Cryptographic Issues vulnerability in Mobitrips Dubrovnik Guided Walking Tours 1.3.2

The Dubrovnik Guided Walking Tours (aka com.mytoursapp.android.app351) application 1.3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6922 Listener Interactive Cryptographic Issues vulnerability in Listener-Interactive Kfai Community Radio 2.0.4

The KFAI Community Radio (aka com.skyblue.pra.kfai) application 2.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6921 Orderingapps Cryptographic Issues vulnerability in Orderingapps Buckhorn Grill 2.8

The Buckhorn Grill (aka com.orderingapps.buckhorn) application 2.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6920 Canal44 Cryptographic Issues vulnerability in Canal44 Canal 44 1

The Canal 44 (aka com.canal.canal44) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6919 Afsinc Cryptographic Issues vulnerability in Afsinc Metalcasting Newsstand 3.12.0

The Metalcasting Newsstand (aka air.com.yudu.ReaderAIR3017071) application 3.12.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6918 Bikersunderground Cryptographic Issues vulnerability in Bikersunderground Bikers Underground 4.5.10

The Bikers Underground (aka hr.ap.n66871172) application 4.5.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6917 Kftc Cryptographic Issues vulnerability in Kftc Www.Knote.Kr Smart 1.0.3

The www.knote.kr Smart (aka kr.or.knote.android) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6916 Mama Cryptographic Issues vulnerability in Mama Mama.Cn 1.02

The mama.cn (aka cn.ziipin.mama.ui) application 1.02 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6914 Houcine EL Jasmi Project Cryptographic Issues vulnerability in Houcine EL Jasmi Project Houcine EL Jasmi 1

The Houcine El Jasmi (aka com.devkhr31.houcineeljasmi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6913 Paperton Cryptographic Issues vulnerability in Paperton Dive the World 1.53

The Dive The World (aka com.paperton.wl.divetheworld) application 1.53 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6912 Core Apps Cryptographic Issues vulnerability in Core-Apps Ira'S 59Th Annual Conference 6.0.7.6

The IRA's 59th Annual Conference (aka com.coreapps.android.followme.ira_14) application 6.0.7.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6911 Diziturky Cryptographic Issues vulnerability in Diziturky HD 2015 2014

The diziturky HD 2015 (aka com.adv.diziturky) application 2014 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6910 Memorizeit Cryptographic Issues vulnerability in Memorizeit Memorizeit! 1.7.2

The MemorizeIt! (aka com.kshinenterprises.kshinent.memorizeit) application 1.7.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6909 Enyetech Cryptographic Issues vulnerability in Enyetech Coca-Cola FM Peru 2.0.41716

The Coca-Cola FM Peru (aka com.enyetech.radio.coca_cola.fm_pe) application 2.0.41716 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6908 Immigrer Cryptographic Issues vulnerability in Immigrer Forum IC 3.3.12

The Forum IC (aka com.tapatalk.forumimmigrercom) application 3.3.12 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6907 Trafficgate Cryptographic Issues vulnerability in Trafficgate Rakuten Install 1.5.0

The Rakuten Install (aka co.jp.rakuten.installapp) application 1.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-04 CVE-2014-6906 Loli Chocolate Cake Project Cryptographic Issues vulnerability in Loli Chocolate Cake Project Loli Chocolate Cake 1.0.0

The Loli Chocolate Cake (aka com.alison.kang.chocolatecake) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6905 H2O Human Harmony Organization Project Cryptographic Issues vulnerability in H2O Human Harmony Organization Project H2O Human Harmony Organization 1.6.5

The H2O Human Harmony Organization (aka com.netpia.ha.theh2o) application 1.6.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6903 Tionetworks Cryptographic Issues vulnerability in Tionetworks Gulf Power Mobile Bill PAY 1

The Gulf Power Mobile Bill Pay (aka com.tionetworks.gulf) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6902 Anjuke Cryptographic Issues vulnerability in Anjuke 7.1.7

The Anjuke (aka com.anjuke.android.app) application 7.1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6901 Nobexrc Cryptographic Issues vulnerability in Nobexrc Radios DEL Ecuador 3.2.4

The RADIOS DEL ECUADOR (aka com.nobexinc.wls_87612622.rc) application 3.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6900 Core Apps Cryptographic Issues vulnerability in Core-Apps Eage Amsterdam 2014 6.1.1.2

The EAGE Amsterdam 2014 (aka com.coreapps.android.followme.eage_2014) application 6.1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6899 Jazeeraairways Cryptographic Issues vulnerability in Jazeeraairways Jazeera Airways 2.7

The Jazeera Airways (aka com.winit.jazeeraairways) application 2.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6898 Boopsie Cryptographic Issues vulnerability in Boopsie Mylibrary 4.5.110

The Boopsie MyLibrary (aka com.bredir.boopsie.mylibrary) application 4.5.110 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6897 Tamrielma Cryptographic Issues vulnerability in Tamrielma Skyrim MAP 2.1

The Skyrim Map (aka com.neko.skyrimmap) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6896 Yikyakapp Cryptographic Issues vulnerability in Yikyakapp YIK YAK 2.0.002

The Yik Yak (aka com.yik.yak) application 2.0.002 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6895 Nexters Cryptographic Issues vulnerability in Nexters Throne Rush 2.3.10

The Throne Rush (aka com.progrestar.bft) application 2.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-03 CVE-2014-6894 Lucktastic Cryptographic Issues vulnerability in Lucktastic 1.2.6

The Lucktastic (aka com.lucktastic.scratch) application 1.2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6893 Pushpinsapp Cryptographic Issues vulnerability in Pushpinsapp Pushpins Grocery Coupons 1.56

The Pushpins Grocery Coupons (aka com.pushpinsapp.pushpins) application 1.56 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6892 Kalahari Cryptographic Issues vulnerability in Kalahari Kalahari.Com Shopping 1.4.2.1

The kalahari.com Shopping (aka com.kalahari.shop) application 1.4.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6890 Couponcabin Coupons Deals Project Cryptographic Issues vulnerability in Couponcabin - Coupons & Deals Project Couponcabin - Coupons & Deals 3.6

The CouponCabin - Coupons & Deals (aka com.couponcabin) application 3.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6889 Gunbroker Cryptographic Issues vulnerability in Gunbroker Gunbroker.Com 1.1.2

The GunBroker.com (aka com.gunbroker.android) application 1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6888 Pennytalk Cryptographic Issues vulnerability in Pennytalk Mobile 2.0.3.0

The PennyTalk Mobile (aka net.idt.pennytalk.android) application 2.0.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6886 Wephoneapp Cryptographic Issues vulnerability in Wephoneapp Wephone - Phone Calls VS Skype 1.03.00

The WePhone - phone calls vs skype (aka com.wephoneapp) application 1.03.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6885 Usbank Cryptographic Issues vulnerability in Usbank Academy Sports + Outdoors Visa 1.18

The Academy Sports + Outdoors Visa (aka com.usbank.icsmobile.academysports) application 1.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6884 Ford Cryptographic Issues vulnerability in Ford Credit Account Manager 1.0.1

The Ford Credit Account Manager (aka com.fordcredit.accountmanager) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6883 CNN Cryptographic Issues vulnerability in CNN Cnnmoney Portfolio for Stocks 1.0.2

The CNNMoney Portfolio for stocks (aka com.cnn.portfolio) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6882 Western Cryptographic Issues vulnerability in Western Federal Credit Union 2.1

The Western Federal Credit Union (aka com.kerrata.pulse.western) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6881 PNC Cryptographic Issues vulnerability in PNC Virtual Wallet BY PNC

The PNC Virtual Wallet (aka com.pnc.ecommerce.mobile.vw.android) application before 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6880 Tradehero Cryptographic Issues vulnerability in Tradehero 2.2.5

The TradeHero (aka com.tradehero.th) application 2.2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6879 Equifax Cryptographic Issues vulnerability in Equifax Mobile 1.5

The Equifax Mobile (aka com.equifax) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6878 Rbfcu Cryptographic Issues vulnerability in Rbfcu Mobile 3.1

The RBFCU Mobile (aka com.Vertifi.DeposZip.P314089681) application 3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6877 Santanderbank Cryptographic Issues vulnerability in Santanderbank Santander Personal Banking 2.1

The Santander Personal Banking (aka com.sovereign.santander) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6876 Serve Cryptographic Issues vulnerability in Serve American Express Serve @7F0901E4

The American Express Serve (aka com.serve.mobile) application @7F0901E4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6875 Woodforest Cryptographic Issues vulnerability in Woodforest Mobile Banking 3.1

The Woodforest Mobile Banking (aka com.woodforest) application 3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6874 Concursive Cryptographic Issues vulnerability in Concursive Modsim Connected 2

The ModSim Connected (aka com.concursive.modsim) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6873 Amecuae Cryptographic Issues vulnerability in Amecuae Amgc 6

The AMGC (aka com.amec.uae) application 6.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6872 Ttnetmuzik Cryptographic Issues vulnerability in Ttnetmuzik Ttnet Muzik 3.2

The TTNET Muzik (aka com.ttnet.muzik) application 3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6871 Hogs FLY Crazy Project Cryptographic Issues vulnerability in Hogs FLY Crazy Project Hogs FLY Crazy 1.0.0

The Hogs Fly Crazy (aka com.pedrojayme.hogsflycrazy) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6870 Bgenergy Cryptographic Issues vulnerability in Bgenergy 1.153.0034

The BGEnergy (aka com.bluegrass.smartapps) application 1.153.0034 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6869 Barcode Scanner Project Cryptographic Issues vulnerability in Barcode Scanner Project Barcode Scanner 2.3.0

The barcode scanner (aka tw.com.books.android.plus) application 2.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6868 Synology Cryptographic Issues vulnerability in Synology DS Audio 3.4

The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6867 Sortir EN Alsace Cryptographic Issues vulnerability in Sortir-En-Alsace Sortir EN Alsace 0.5B

The Sortir en Alsace (aka com.axessweb.sortirenalsace) application 0.5b for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6866 Homeadvisor Cryptographic Issues vulnerability in Homeadvisor Mobile 3.0.3

The HomeAdvisor Mobile (aka com.servicemagic.consumer) application 3.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6865 Jamalbates Cryptographic Issues vulnerability in Jamalbates Jamal Bates Show 1.3.14.254

The Jamal Bates Show (aka com.conduit.app_3a95e13827c54c4da9056fafb33ecc8d.app) application 1.3.14.254 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6864 Socialknowledge Cryptographic Issues vulnerability in Socialknowledge Forest River Forums 3.7.5

The Forest River Forums (aka com.socialknowledge.forestriverforums) application 3.7.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6863 Digitalfruit Cryptographic Issues vulnerability in Digitalfruit Mootorratturid & Biker.Ee 1

The Mootorratturid & biker.ee (aka ee.digitalfruit.mootorratturid) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6862 Gencat Cryptographic Issues vulnerability in Gencat Artacces 1

The ArtAcces (aka cat.gencat.mobi.artacces) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6861 Terrarienbilder Cryptographic Issues vulnerability in Terrarienbilder Terrarienbilder.Com Forum 3.8.20

The Terrarienbilder.com Forum (aka com.tapatalk.terrarienbildercomvb) application 3.8.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6860 Trialtracker Cryptographic Issues vulnerability in Trialtracker Trial Tracker 1.1.9

The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6859 Daum Cryptographic Issues vulnerability in Daum Maps - Subway 3.9.1

The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6858 Mostafa Shemeas Project Cryptographic Issues vulnerability in Mostafa Shemeas Project Mostafa Shemeas 1

The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6857 Arabia2000 Cryptographic Issues vulnerability in Arabia2000 CAR Wallpapers HD 1.3

The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-02 CVE-2014-6856 Myvet2Pet Cryptographic Issues vulnerability in Myvet2Pet Ahrah 219426

The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-01 CVE-2014-6855 Imop Cryptographic Issues vulnerability in Imop Long 1.0.4

The Long (aka com.imop.longjiang.android) application 1.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-01 CVE-2014-6854 Eyexam Cryptographic Issues vulnerability in Eyexam 1.4

The EyeXam (aka com.globaleyeventures.eyexam) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-01 CVE-2014-6853 Foxitsoftware Cryptographic Issues vulnerability in Foxitsoftware Foxit Mobilepdf - PDF Reader 2.2.0.0616

The Foxit MobilePDF - PDF Reader (aka com.foxit.mobile.pdf.lite) application 2.2.0.0616 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-01 CVE-2014-6852 Automon Cryptographic Issues vulnerability in Automon Ledline.Gr Official 1.4.0.9

The LedLine.gr Official (aka com.automon.ledline.gr) application 1.4.0.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-01 CVE-2014-6851 Nbcfc Cryptographic Issues vulnerability in Nbcfc NEW Beginnings CFC 1.1

The New Beginnings CFC (aka com.goodbarber.nbcfc) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6850 Starkvilleelectric Cryptographic Issues vulnerability in Starkvilleelectric SED Account 1.153.0034

The SED Account (aka com.starkville.smartapps) application 1.153.0034 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6848 Synology Cryptographic Issues vulnerability in Synology DS File 4.1.1

The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6847 Horoscopesanddreams Cryptographic Issues vulnerability in Horoscopesanddreams Horoscopes and Dreams 1.0.1

The Horoscopes and Dreams (aka com.horoscopesanddreams) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6846 Intelitycorp Cryptographic Issues vulnerability in Intelitycorp Four Seasons Beverly Hills @7F050007

The Four Seasons Beverly Hills (aka com.intelitycorp.FourSeasons.android.ice) application @7F050007 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6845 Mediafire Cryptographic Issues vulnerability in Mediafire 1.1.1

The MediaFire (aka com.mediafire.android) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6844 Tabtale Cryptographic Issues vulnerability in Tabtale ABC Song 1.0.0

The ABC Song (aka com.tabtale.abcsingalong) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6843 Orderingapps Cryptographic Issues vulnerability in Orderingapps Sweatshop 2.96

The Sweatshop (aka com.orderingapps.sweatshop) application 2.96 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6842 Gannett Cryptographic Issues vulnerability in Gannett Daily Advertiser Print 6.7

The Daily Advertiser Print (aka com.lafayettedailyadv.android.prod) application 6.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6841 Rtiindia Cryptographic Issues vulnerability in Rtiindia RTI India 3.8.21

The RTI INDIA (aka com.vbulletin.build_890) application 3.8.21 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6840 Weddingselections Cryptographic Issues vulnerability in Weddingselections MY Wedding Planner 1.5

The My Wedding Planner (aka app.wedding) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6839 Webizz Cryptographic Issues vulnerability in Webizz Alma Corinthiana 1

The Alma Corinthiana (aka com.alma.corinthiana) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6838 Twitter Cryptographic Issues vulnerability in Twitter Groupama Toujours LA 1.3.0

The Groupama toujours la (aka com.groupama.toujoursla) application 1.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6837 Hillside Project Cryptographic Issues vulnerability in Hillside Project Hillside 1.1

The Hillside (aka com.hillside.hermanus) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6836 Synology Cryptographic Issues vulnerability in Synology DS Photo+ 3.3

The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6835 Freetibet Cryptographic Issues vulnerability in Freetibet Herbal Guide 1

The Herbal Guide (aka com.pocket.herbal.guide) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6834 Instaroid Instagram Viewer Project Cryptographic Issues vulnerability in Instaroid - Instagram Viewer Project Instaroid - Instagram Viewer 1.2.1

The Instaroid - Instagram Viewer (aka net.muik.instaroid) application 1.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6833 Auctiontrac Cryptographic Issues vulnerability in Auctiontrac Dealer 2.0.3

The AuctionTrac Dealer (aka com.adesa.dealer.phone) application 2.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6832 Gcspublishing Cryptographic Issues vulnerability in Gcspublishing Bersa Forum 3.9.16

The Bersa Forum (aka com.gcspublishing.bersaforum) application 3.9.16 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6831 Hippostudio Cryptographic Issues vulnerability in Hippostudio Hippo Studio 1

The Hippo Studio (aka com.appgreen.hippostudio) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6830 Covetfashion Cryptographic Issues vulnerability in Covetfashion Covet Fashion - Shopping Game 2.14.40

The Covet Fashion - Shopping Game (aka com.crowdstar.covetfashion) application 2.14.40 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6829 Gethook Cryptographic Issues vulnerability in Gethook Hook 0.9.3

The Hook (aka com.hook.android) application 0.9.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6828 Gecu Cryptographic Issues vulnerability in Gecu Gulf Credit Union 1.1

The Gulf Credit Union (aka Fi_Mobile.Gulf) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6827 Halgame Cryptographic Issues vulnerability in Halgame DK Online Beta 1.0.2

The DK ONLINE Beta (aka com.sgmobile.dkonline) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6826 TIC TAC TO THE MAX Free Project Cryptographic Issues vulnerability in Tic-Tac TO the MAX Free Project Tic-Tac TO the MAX Free 1.2

The Tic-Tac To The MAX FREE (aka com.tothemax) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6825 Teatrofrancoparenti Cryptographic Issues vulnerability in Teatrofrancoparenti Teatro Franco Parenti 1.4.0

The Teatro Franco Parenti (aka com.mintlab.mx.teatroparenti) application 1.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6824 Kamkomesan Project Cryptographic Issues vulnerability in Kamkomesan Project Kamkomesan 1

The kamkomesan (aka com.anek.kamkomesan) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6823 Zhtiantian Cryptographic Issues vulnerability in Zhtiantian Kuailecaidengmi 1.7.12.15

The kuailecaidengmi (aka com.licai.kuailecaidengmi) application 1.7.12.15 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6822 Nerdico Project Cryptographic Issues vulnerability in Nerdico Project Nerdico 1.9

The Nerdico (aka com.nerdico.danielepais) application 1.9 Stable for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6821 Voetbal Project Cryptographic Issues vulnerability in Voetbal Project Voetbal 4.7.2

The voetbal (aka nl.jborsje.android.voetbal.az) application 4.7.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6820 Amebra Ameba Project Cryptographic Issues vulnerability in Amebra Ameba Project Amebra Ameba 1.0.0

The Amebra Ameba (aka jp.honeytrap15.amebra) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6819 Lappgroup Cryptographic Issues vulnerability in Lappgroup Lapp Group Catalogue 1.4

The Lapp Group Catalogue (aka com.prinovis.LappKabel) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6818 Core Apps Cryptographic Issues vulnerability in Core-Apps Ohbm 20Th Annual Meeting 6.0.9.2

The OHBM 20th Annual Meeting (aka com.coreapps.android.followme.ohbm2014) application 6.0.9.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6817 Covechurch Cryptographic Issues vulnerability in Covechurch Cove 1.0.2

The Cove (aka org.covechurch.app) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6816 Lvtu99 Cryptographic Issues vulnerability in Lvtu99 Wisdom 2.1

The WISDOM (aka lvtu99.com.nescmxiaoniuniu) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6815 Voucherry Cryptographic Issues vulnerability in Voucherry Vouch! 2.1.6

The Vouch! (aka com.voucherry.voucherry) application 2.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6814 Sentinels Randomizer Project Cryptographic Issues vulnerability in Sentinels Randomizer Project Sentinels Randomizer 1.1.0

The Sentinels Randomizer (aka com.mikehipps.sentinelsrandomizer) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6813 Klassens Project Cryptographic Issues vulnerability in Klassens Project Klassens 1

The klassens (aka com.mcreda.klassens.apps) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6812 Qmania Cryptographic Issues vulnerability in Qmania Aloha Guide 1.5

The Aloha Guide (aka com.aloha.guide.english) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6810 Core Apps Cryptographic Issues vulnerability in Core-Apps Rims 2014 Annual Conference 6.0.7.4

The RIMS 2014 Annual Conference (aka com.coreapps.android.followme.rims2014) application 6.0.7.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6808 Active 24 Project Cryptographic Issues vulnerability in Active 24 Project Active 24 1.0.1

The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6807 Olaschool Cryptographic Issues vulnerability in Olaschool OLA School 1.2.7.132

The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6806 Intellegere Cryptographic Issues vulnerability in Intellegere Thanodi - Setswana Translator 1.0.0

The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-30 CVE-2014-6805 Weibo Project Cryptographic Issues vulnerability in Weibo Project Weibo 1.2

The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6804 Boopsie Cryptographic Issues vulnerability in Boopsie Deschutes Public Mobilelibrary 4.5.110

The Deschutes Public MobileLibrary (aka com.bredir.boopsie.deschutes) application 4.5.110 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6803 BM Cryptographic Issues vulnerability in BM Bank of Moscow Eirts Rent 1.0.0

The Bank of Moscow EIRTS Rent (aka ru.bm.rbs.android) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6802 Subsplash Cryptographic Issues vulnerability in Subsplash First Assembly NLR 2.8.0

The First Assembly NLR (aka com.subsplash.thechurchapp.firstassemblynlr) application 2.8.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6801 Frank Matano Project Cryptographic Issues vulnerability in Frank Matano Project Frank Matano 1

The frank matano (aka com.frank.matano) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6800 Parentlink Cryptographic Issues vulnerability in Parentlink Bloom Township 206 4.0.500

The Bloom Township 206 (aka net.parentlink.bloom) application 4.0.500 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6799 Broadcom Cryptographic Issues vulnerability in Broadcom Investigation Tool 1.0.0

The Investigation Tool (aka gov.ca.post.lp.itool) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6798 Weeverapps Cryptographic Issues vulnerability in Weeverapps Mcmaster Marauders 1.0.1

The McMaster Marauders (aka com.weever.marauders) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6797 ABU ALI Anasheeds Project Cryptographic Issues vulnerability in ABU ALI Anasheeds Project ABU ALI Anasheeds 1.1

The Abu Ali Anasheeds (aka com.faapps.abuali_anasheeds) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6796 Localsense Cryptographic Issues vulnerability in Localsense 1.2.1

The LocalSense (aka com.LocalSense) application 1.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6795 Gcspublishing Cryptographic Issues vulnerability in Gcspublishing Beekeeping Forum 3.9.15

The Beekeeping Forum (aka com.tapatalk.supporttapatalkcomxxxxx) application 3.9.15 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6794 Boopsie Cryptographic Issues vulnerability in Boopsie Aapld 4.5.110

The AAPLD (aka com.bredir.boopsie.aapld) application 4.5.110 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6793 Roboticoverlords Cryptographic Issues vulnerability in Roboticoverlords Arch Friend 0.4.2

The Arch Friend (aka com.xyproto.archfriend) application 0.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6792 Suriname Radio Project Cryptographic Issues vulnerability in Suriname Radio Project Suriname Radio 1.5

The Suriname Radio (aka com.wordbox.surinameRadio) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6791 Atastefromheaven Cryptographic Issues vulnerability in Atastefromheaven Angel Reigns 1.2.6.185

The Angel Reigns (aka com.conduit.app_dab60e7bd60d4f23a14b3fb7357f9dcd.app) application 1.2.6.185 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6790 Keyinternet Cryptographic Issues vulnerability in Keyinternet Invex 1.0.2

The INVEX (aka com.mobilatolye.keyinternet) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6789 Boopsie Cryptographic Issues vulnerability in Boopsie Anaheim Library 2Go! 4.5.110

The Anaheim Library 2Go! (aka com.bredir.boopsie.anaheim) application 4.5.110 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6788 Oman News Project Cryptographic Issues vulnerability in Oman News Project Oman News 1

The Oman News (aka com.oman.news.rmtzlnbuooordciw) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6787 Counterintuition Cryptographic Issues vulnerability in Counterintuition Counter Intuition 1.2

The Counter Intuition (aka com.counter.intuition) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6786 Tinytap Cryptographic Issues vulnerability in Tinytap Math for Kids - Subtraction 1.2.10

The Math for Kids - Subtraction (aka it.tinytap.attsa.deepsub) application 1.2.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6785 Subsplash Cryptographic Issues vulnerability in Subsplash Renny Mclean Ministries 2.8.1

The Renny McLean Ministries (aka com.subsplash.thechurchapp.s_GJQX72) application 2.8.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6784 Fermononrespiri Cryptographic Issues vulnerability in Fermononrespiri Mobile 3.8.6

The Fermononrespiri Mobile (aka com.tapatalk.rmonlineitforums) application 3.8.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6783 Campustv Cryptographic Issues vulnerability in Campustv Campus Link - Campus TV Hkusu 2.2

The Campus Link - Campus TV HKUSU (aka com.campus.tv.hkusu) application 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6782 Abrahamtours Cryptographic Issues vulnerability in Abrahamtours Abraham Tours 1.1.2

The Abraham Tours (aka com.mytoursapp.android.app432) application 1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6781 Mobilizedsolutions Cryptographic Issues vulnerability in Mobilizedsolutions Aloha Stadium - Hawaii 1.2

The Aloha Stadium - Hawaii (aka com.stadium.aloha) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6780 Meitalk Cryptographic Issues vulnerability in Meitalk @7F060012

The MeiTalk (aka com.playjia.meitalk) application @7F060012 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6779 Cart APP Cryptographic Issues vulnerability in Cart-App Cart APP 1.5

The Cart App (aka com.virtecha.mobilewallet) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6778 Gcspublishing Cryptographic Issues vulnerability in Gcspublishing Goat Forum 3.9.15

The Goat Forum (aka com.gcspublishing.goatspot) application 3.9.15 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6777 Blueeleph Project Cryptographic Issues vulnerability in Blueeleph Project Blueeleph 1

The blueeleph (aka eg.film.blueeleph) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6776 Uanw Cryptographic Issues vulnerability in Uanw United Advantage NW Federal CR 1.7

The United Advantage NW Federal Cr (aka com.myappengine.uanwfcu) application 1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6775 Animalcenter Cryptographic Issues vulnerability in Animalcenter Light for Pets 1

The Light for Pets (aka com.helenwoodward.light4pets) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6774 Neorcha Cryptographic Issues vulnerability in Neorcha Usek 1.0.8

The USEK (aka com.university.usek) application 1.0.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6773 Bowenehs Cryptographic Issues vulnerability in Bowenehs CIH Quiz Game 1.3

The CIH Quiz game (aka com.bowenehs.cihquizgameapp) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-09-29 CVE-2014-6772 Unitedecu Cryptographic Issues vulnerability in Unitedecu United Educational CU 1.0.27

The United Educational CU (aka com.metova.cuae.uecu) application 1.0.27 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.4
2014-10-05 CVE-2014-3398 Cisco Information Exposure vulnerability in Cisco Adaptive Security Appliance Software

The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to obtain potentially sensitive software-version information by reading the verbose response data that is provided for a request to an unspecified URL, aka Bug ID CSCuq65542.

5.0
2014-10-04 CVE-2014-7278 Zyxel Improper Input Validation vulnerability in Zyxel Sbg3300-N and Sbg3300-N Firmware

The login page on the ZyXEL SBG-3300 Security Gateway with firmware 1.00(AADY.4)C0 and earlier allows remote attackers to cause a denial of service (persistent web-interface outage) via JavaScript code within unspecified "welcome message" form data that is improperly handled during use for the loginMsg variable's value, a different vulnerability than CVE-2014-7277.

5.0
2014-10-02 CVE-2014-4765 IBM Information Exposure vulnerability in IBM products

IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5 through 7.5.0.6, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 and 7.2 for Tivoli IT Asset Management for IT and certain other products allow remote attackers to obtain sensitive directory information by reading an unspecified error message.

5.0
2014-09-30 CVE-2014-3395 Cisco Improper Input Validation vulnerability in Cisco Webex Meetings Server 2.5

Cisco WebEx Meetings Server (WMS) 2.5 allows remote attackers to trigger the download of arbitrary files via a crafted URL, aka Bug ID CSCup10343.

5.0
2014-09-30 CVE-2014-4728 TP Link Resource Management Errors vulnerability in Tp-Link Tl-Wdr4300 and Tl-Wdr4300 Firmware

The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to cause a denial of service (crash) via a long header in a GET request.

5.0
2014-09-30 CVE-2014-6269 Haproxy Numeric Errors vulnerability in Haproxy

Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 allow remote attackers to cause a denial of service (crash) via a large stream of data, which triggers a buffer overflow and an out-of-bounds read.

5.0
2014-09-30 CVE-2014-3558 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Hibernate Validator

ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.

5.0
2014-09-30 CVE-2012-5506 Plone Resource Management Errors vulnerability in Plone

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access.

5.0
2014-09-30 CVE-2012-5505 Plone Information Exposure vulnerability in Plone

atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name.

5.0
2014-09-30 CVE-2012-5503 Plone Unspecified vulnerability in Plone

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

5.0
2014-09-30 CVE-2012-5501 Plone Permissions, Privileges, and Access Controls vulnerability in Plone

at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL.

5.0
2014-09-30 CVE-2012-5499 Plone Resource Management Errors vulnerability in Plone

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns.

5.0
2014-09-30 CVE-2012-5498 Plone Permissions, Privileges, and Access Controls vulnerability in Plone

queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection.

5.0
2014-09-30 CVE-2012-5497 Plone Information Exposure vulnerability in Plone

membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL.

5.0
2014-09-30 CVE-2012-5496 Plone Resource Management Errors vulnerability in Plone

kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL.

5.0
2014-09-30 CVE-2012-5495 Plone Code Injection vulnerability in Plone

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."

5.0
2014-09-30 CVE-2012-5492 Plone Information Exposure vulnerability in Plone

uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL.

5.0
2014-09-30 CVE-2012-5488 Plone Code Injection vulnerability in Plone

python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

5.0
2014-09-29 CVE-2012-5621 Ekiga Improper Input Validation vulnerability in Ekiga

lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

5.0
2014-09-29 CVE-2013-1874 Call CC Local Arbitrary Code Execution vulnerability in Chicken '.csirc' File

Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

4.4
2014-10-05 CVE-2014-2645 HP Improper Input Validation vulnerability in HP Systems Insight Manager

HP Systems Insight Manager (SIM) before 7.4 allows remote attackers to conduct clickjacking attacks via unknown vectors.

4.3
2014-10-04 CVE-2014-7277 Zyxel Cross-Site Scripting vulnerability in Zyxel Sbg3300-N and Sbg3300-N Firmware

Cross-site scripting (XSS) vulnerability in the login page on the ZyXEL SBG-3300 Security Gateway with firmware 1.00(AADY.4)C0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified "welcome message" form data that is improperly handled during rendering of the loginMessage list item, a different vulnerability than CVE-2014-7278.

4.3
2014-10-03 CVE-2014-6297 MM Forum Project Cross-Site Scripting vulnerability in MM Forum Project MM Forum

Cross-site scripting (XSS) vulnerability in the mm_forum extension before 1.9.3 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-10-03 CVE-2014-6296 WEC MAP Project Cross-Site Scripting vulnerability in WEC MAP Project WEC MAP 3.0.0/3.0.1/3.0.2

Cross-site scripting (XSS) vulnerability in the WEC Map (wec_map) extension before 3.0.3 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-10-03 CVE-2014-6294 External Links Click Statistics Project Cross-Site Scripting vulnerability in External Links Click Statistics Project External Links Click Statistics

Cross-site scripting (XSS) vulnerability in the External links click statistics (outstats) extension 0.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-10-03 CVE-2014-6291 Alphabetic Sitemap Project Cross-Site Scripting vulnerability in Alphabetic Sitemap Project Alphabetic Sitemap 0.0.1/0.0.2/0.0.3

Cross-site scripting (XSS) vulnerability in the Alphabetic Sitemap (alpha_sitemap) extension 0.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-10-03 CVE-2014-6079 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in the Local Management Interface in IBM Security Access Manager for Web 7.x before 7.0.0-ISS-WGA-IF0009 and 8.x before 8.0.0-ISS-WGA-FP0005, and Security Access Manager for Mobile 8.x before 8.0.0-ISS-ISAM-FP0005, allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2014-10-02 CVE-2014-7157 Exinda Cross-Site Scripting vulnerability in Exinda WAN Optimization Suite 7.0.0

Cross-site scripting (XSS) vulnerability in Exinda WAN Optimization Suite 7.0.0 (2160) allows remote attackers to inject arbitrary web script or HTML via the tabsel parameter to admin/launch.

4.3
2014-10-02 CVE-2014-7144 Openstack Cryptographic Issues vulnerability in Openstack Keystonemiddleware and Python-Keystoneclient

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

4.3
2014-10-02 CVE-2014-3097 IBM Open Redirection vulnerability in IBM Tivoli Federated Identity Manager 6.2.0/6.2.1/6.2.2

Open redirect vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0-TIV-TFIM-IF0015, 6.2.1 before 6.2.1-TIV-TFIM-IF0007, and 6.2.2 before 6.2.2-TIV-TFIM-IF0011 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

4.3
2014-10-02 CVE-2014-2642 HP Improper Input Validation vulnerability in HP System Management Homepage

HP System Management Homepage (SMH) before 7.4 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

4.3
2014-10-02 CVE-2014-2640 HP Cross-Site Scripting vulnerability in HP System Management Homepage

Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-10-01 CVE-2011-4624 Codeasily Cross-Site Scripting vulnerability in Codeasily Grand Flagallery 1.56

Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

4.3
2014-09-30 CVE-2014-6619 Restaurantmis Cross-Site Scripting vulnerability in Restaurantmis Restaurant Script 1.0.0

Multiple cross-site scripting (XSS) vulnerabilities in register-exec.php in Restaurant Script (PizzaInn_Project) 1.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fname, (2) lname, or (3) login parameter.

4.3
2014-09-30 CVE-2014-6618 Your Online Shop Project Cross-Site Scripting vulnerability in Your Online Shop Project Your Online Shop

Cross-site scripting (XSS) vulnerability in Your Online Shop allows remote attackers to inject arbitrary web script or HTML via the products_id parameter.

4.3
2014-09-30 CVE-2014-4727 TP Link Cross-Site Scripting vulnerability in Tp-Link Tl-Wdr4300 and Tl-Wdr4300 Firmware

Cross-site scripting (XSS) vulnerability in the DHCP clients page in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to inject arbitrary web script or HTML via the hostname in a DHCP request.

4.3
2014-09-30 CVE-2014-7199 Mediawiki Cross-Site Scripting vulnerability in Mediawiki

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.

4.3
2014-09-30 CVE-2014-5444 Yorba Cryptographic Issues vulnerability in Yorba Geary

Geary before 0.6.3 does not present the user with a warning when a TLS certificate error is detected, which makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

4.3
2014-09-30 CVE-2014-0170 Redhat
Jboss
Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data Virtualization 6.0.0 before patch 3 allows remote attackers to read arbitrary files via a crafted request to a REST endpoint, related to an XML External Entity (XXE) issue.
4.3
2014-09-30 CVE-2012-6316 TP Link Cross-Site Scripting vulnerability in Tp-Link Tl-Wr841N and Tl-Wr841N Firmware

Multiple cross-site scripting (XSS) vulnerabilities in the TP-LINK TL-WR841N router with firmware 3.13.9 Build 120201 Rel.54965n and earlier allow remote administrators to inject arbitrary web script or HTML via the (1) username or (2) pwd parameter to userRpm/NoipDdnsRpm.htm.

4.3
2014-09-30 CVE-2012-5507 Zope
Plone
Race Condition vulnerability in multiple products

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

4.3
2014-09-30 CVE-2012-5504 Plone Cross-Site Scripting vulnerability in Plone

Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-09-30 CVE-2012-5494 Plone Cross-Site Scripting vulnerability in Plone

Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate."

4.3
2014-09-30 CVE-2012-5491 Plone Information Exposure vulnerability in Plone

z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id.

4.3
2014-09-30 CVE-2012-5490 Plone Cross-Site Scripting vulnerability in Plone

Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-09-29 CVE-2013-2586 Apachefriends Cross-Site Scripting vulnerability in Apachefriends Xampp 1.8.1

XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method.

4.3
2014-09-29 CVE-2012-6107 Apache Cryptographic Issues vulnerability in Apache Axis2/C

Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

4.3
2014-09-29 CVE-2014-3824 Juniper Cross-Site Scripting vulnerability in Juniper Junos Pulse Secure Access Service

Cross-site scripting (XSS) vulnerability in the web server in the Juniper Junos Pulse Secure Access Service (SSL VPN) devices with IVE OS 8.0 before 8.0r6, 7.4 before 7.4r13, and 7.1 before 7.1r20 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-09-29 CVE-2014-3823 Juniper Improper Input Validation vulnerability in Juniper Junos Pulse Secure Access Service

The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with IVE OS 8.0 before 8.0r1, 7.4 before 7.4r5, and 7.1 before 7.1r18 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

4.3
2014-09-29 CVE-2014-3820 Juniper Cross-Site Scripting vulnerability in Juniper products

Cross-site scripting (XSS) vulnerability in the SSL VPN/UAC web server in the Juniper Junos Pulse Secure Access Service (SSL VPN) devices with IVE OS 7.1 before 7.1r16, 7.4 before 7.4r3, and 8.0 before 8.0r1 and the Juniper Junos Pulse Access Control Service devices with UAC OS 4.1 before 4.1r8, 4.4 before 4.4r3 and 5.0 before 5.0r1 allows remote administrators to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-10-05 CVE-2014-3400 Cisco Information Exposure vulnerability in Cisco Webex Meetings Server

Cisco WebEx Meetings Server allows remote authenticated users to obtain sensitive information by reading logs, aka Bug IDs CSCuq36417 and CSCuq40344.

4.0
2014-10-02 CVE-2014-6414 Openstack
Canonical
Permissions, Privileges, and Access Controls vulnerability in multiple products

OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.

4.0
2014-10-02 CVE-2014-3621 Openstack
Canonical
Redhat
Information Exposure vulnerability in multiple products

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

4.0

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-10-03 CVE-2014-7217 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to libraries/TableSearch.class.php and libraries/Util.class.php.

3.5
2014-09-30 CVE-2012-5502 Plone Cross-Site Scripting vulnerability in Plone

Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors.

3.5
2014-09-29 CVE-2013-3065 Linksys Cross-Site Scripting vulnerability in Linksys Ea6500 and Ea6500 Firmware

Cross-site scripting (XSS) vulnerability in the Parental Controls section in Linksys EA6500 with firmware 1.1.28.147876 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the Blocked Specific Sites section.

3.5
2014-10-02 CVE-2014-7156 XEN Permissions, Privileges, and Access Controls vulnerability in XEN

The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permissions for instructions that generate software interrupts, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors.

3.3
2014-09-30 CVE-2014-4330 Perl
Data Dumper Project
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.

2.1
2014-09-29 CVE-2012-6110 Bcron Project Permissions, Privileges, and Access Controls vulnerability in Bcron Project Bcron Exec

bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

2.1
2014-09-29 CVE-2012-5619 Sleuthkit Improper Input Validation vulnerability in Sleuthkit the Sleuth KIT 4.0.1

The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which .

2.1