Weekly Vulnerabilities Reports > October 27 to November 2, 2014
Overview
89 new vulnerabilities reported during this period, including 3 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 96 products from 46 vendors including Mcafee, IBM, Cisco, Pidgin, and Fortinet. Vulnerabilities are notably categorized as "Cross-site Scripting", "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cryptographic Issues", and "Path Traversal".
- 72 reported vulnerabilities are remotely exploitables.
- 7 reported vulnerabilities have public exploit available.
- 27 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 73 reported vulnerabilities are exploitable by an anonymous user.
- Mcafee has the most reported vulnerabilities, with 20 reported vulnerabilities.
- Freebsd has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
3 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-10-31 | CVE-2014-7985 | Espocrm | Path Traversal vulnerability in Espocrm Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. | 10.0 |
2014-10-27 | CVE-2014-3954 | Freebsd | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Freebsd Stack-based buffer overflow in rtsold in FreeBSD 9.1 through 10.1-RC2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted DNS parameters in a router advertisement message. | 10.0 |
2014-10-29 | CVE-2014-4877 | GNU | Path Traversal vulnerability in GNU Wget Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. | 9.3 |
16 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-10-27 | CVE-2014-2988 | Egroupware | Code Injection vulnerability in Egroupware EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. | 8.5 |
2014-10-27 | CVE-2010-5077 | Ioquake3 Openarena Tremulous | Improper Input Validation vulnerability in multiple products server/sv_main.c in Quake3 Arena, as used in ioquake3 before r1762, OpenArena, Tremulous, and other products, allows remote attackers to cause a denial of service (network traffic amplification) via a spoofed (1) getstatus or (2) rcon request. | 7.8 |
2014-11-02 | CVE-2014-3634 | Sysklogd Project Rsyslog | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted priority (PRI) value that triggers an out-of-bounds array access. | 7.5 |
2014-11-02 | CVE-2014-2015 | Freeradius | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Freeradius Stack-based buffer overflow in the normify function in the rlm_pap module (modules/rlm_pap/rlm_pap.c) in FreeRADIUS 2.x, possibly 2.2.3 and earlier, and 3.x, possibly 3.0.1 and earlier, might allow attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password hash, as demonstrated by an SSHA hash. | 7.5 |
2014-11-01 | CVE-2014-8244 | Linksys | Information Exposure vulnerability in Linksys products Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request. | 7.5 |
2014-10-31 | CVE-2014-8509 | Bittorrent | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Bittorrent Bootstrap-Dht The lazy_bdecode function in BitTorrent bootstrap-dht (aka Bootstrap) allows remote attackers to execute arbitrary code via a crafted packet, which triggers an out-of-bounds read, related to "Improper Indexing." | 7.5 |
2014-10-31 | CVE-2014-8081 | Testlink | Code Injection vulnerability in Testlink lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter. | 7.5 |
2014-10-30 | CVE-2013-7409 | Allplayer | Buffer Errors vulnerability in Allplayer 5.6.2/5.7.0/5.8.1 Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file. | 7.5 |
2014-10-30 | CVE-2014-3446 | BSS | SQL Injection vulnerability in BSS Continuity CMS 4.2.22640.0 SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter. | 7.5 |
2014-10-29 | CVE-2014-8533 | Mcafee | Arbitrary Code Execution vulnerability in McAfee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to execute arbitrary code via vectors related to ICMP redirection. | 7.5 |
2014-10-29 | CVE-2014-8530 | Mcafee | Security vulnerability in McAfee Network Data Loss Prevention 8.6/9.2.0/9.2.1 Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information, affect integrity, or cause a denial of service via unknown vectors, related to simultaneous logins. | 7.5 |
2014-10-29 | CVE-2014-8522 | Mcafee | Improper Authentication vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 The MySQL database in McAfee Network Data Loss Prevention (NDLP) before 9.3 does not require a password, which makes it easier for remote attackers to obtain access. | 7.5 |
2014-10-28 | CVE-2014-8506 | Etiko | SQL Injection vulnerability in Etiko CMS Multiple SQL injection vulnerabilities in Etiko CMS allow remote attackers to execute arbitrary SQL commands via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php. | 7.5 |
2014-10-27 | CVE-2012-5580 | Libproxy Project | Code Injection vulnerability in Libproxy Project Libproxy 0.3.1 Format string vulnerability in the print_proxies function in bin/proxy.c in libproxy 0.3.1 might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in a proxy name, as demonstrated using the http_proxy environment variable or a PAC file. | 7.5 |
2014-10-27 | CVE-2003-1599 | Wordpress | Code Injection vulnerability in Wordpress 0.70 PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable. | 7.5 |
2014-10-27 | CVE-2011-4103 | Djangoproject | Improper Input Validation vulnerability in Djangoproject Piston 0.2.2.0 emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. | 7.5 |
53 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-10-30 | CVE-2014-3684 | Adaptivecomputing | Permissions, Privileges, and Access Controls vulnerability in Adaptivecomputing Torque Resource Manager The tm_adopt function in lib/Libifl/tm.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 5.0.x, 4.5.x, 4.2.x, and earlier does not validate that the owner of the process also owns the adopted session id, which allows remote authenticated users to kill arbitrary processes via a crafted executable. | 6.8 |
2014-10-29 | CVE-2014-8523 | Mcafee | Cross-Site Request Forgery (CSRF) vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 Cross-site request forgery (CSRF) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
2014-10-28 | CVE-2014-6125 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Portal 8.5.0.0 Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Portal 8.5.0 before CF03 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 6.8 |
2014-10-27 | CVE-2011-4953 | Cobbler Project | Improper Input Validation vulnerability in Cobbler Project Cobbler 2.2.1 The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet. | 6.8 |
2014-10-31 | CVE-2014-8334 | WP Dbmanager Project | OS Command Injection vulnerability in Wp-Dbmanager Project Wp-Dbmanager The WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) $backup['filepath'] (aka "Path to Backup:" field) or (2) $backup['mysqldumppath'] variable. | 6.5 |
2014-10-31 | CVE-2014-3366 | Cisco | SQL Injection vulnerability in Cisco Unified Communications Manager SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089. | 6.5 |
2014-10-29 | CVE-2014-8531 | Mcafee | Cryptographic Issues vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 The TLS/SSL Server in McAfee Network Data Loss Prevention (NDLP) before 9.3 uses weak cipher algorithms, which makes it easier for remote authenticated users to execute arbitrary code via unspecified vectors. | 6.5 |
2014-10-28 | CVE-2014-4808 | IBM | Remote Code Execution vulnerability in IBM WebSphere Portal Unspecified vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 allows remote authenticated users to execute arbitrary code via unknown vectors. | 6.5 |
2014-11-01 | CVE-2014-8582 | Fortinet | Unspecified vulnerability in Fortinet products FortiNet FortiADC-E with firmware 3.1.1 before 4.0.5 and Coyote Point Equalizer with firmware 10.2.0a allows remote attackers to obtain access to arbitrary subnets via unspecified vectors. | 6.4 |
2014-10-29 | CVE-2014-3697 | Pidgin | Path Traversal vulnerability in Pidgin Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. | 6.4 |
2014-10-29 | CVE-2014-3694 | Opensuse Canonical Debian Pidgin | Cryptographic Issues vulnerability in multiple products The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 6.4 |
2014-10-29 | CVE-2014-4839 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Tririga Application Platform Cross-site request forgery (CSRF) vulnerability in birtviewer.query in IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before 3.4.0.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 6.0 |
2014-11-01 | CVE-2014-6032 | F5 | XML External Entity Injection vulnerability in F5 Networks BIG-IP Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.0, ARM 11.3.0 through 11.6.0, Analytics 11.0.0 through 11.6.0, APM and Edge Gateway 11.0.0 through 11.6.0 and 10.1.0 through 10.2.4, PEM 11.3.0 through 11.6.0, PSM 11.0.0 through 11.4.1 and 10.0.0 through 10.2.4, and WOM 11.0.0 through 11.3.0 and 10.0.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allow remote authenticated users to read arbitrary files and cause a denial of service via a crafted request, as demonstrated using (1) viewList or (2) deal elements. | 5.5 |
2014-10-29 | CVE-2014-8538 | Hijabmodern | Cryptographic Issues vulnerability in Hijabmodern Hijab Modern 1.0 The Hijab Modern (aka com.Aisyaidea.HijabModern) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.4 |
2014-11-02 | CVE-2014-3683 | Rsyslog Sysklogd Project | Numeric Errors vulnerability in multiple products Integer overflow in rsyslog before 7.6.7 and 8.x before 8.4.2 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash) via a large priority (PRI) value. | 5.0 |
2014-10-31 | CVE-2014-8495 | Citrix | Cryptographic Issues vulnerability in Citrix Xenmobile Citrix XenMobile MDX Toolkit before 9.0.4, when used to wrap iOS 8 applications, does not properly encrypt cached application data, which allows context-dependent attackers to obtain sensitive information by reading the cache. | 5.0 |
2014-10-31 | CVE-2014-8082 | Testlink | Information Exposure vulnerability in Testlink lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message. | 5.0 |
2014-10-31 | CVE-2014-7986 | Espocrm | Permissions, Privileges, and Access Controls vulnerability in Espocrm install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter. | 5.0 |
2014-10-31 | CVE-2013-0334 | Bundler Opensuse Fedoraproject | Improper Input Validation vulnerability in multiple products Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. | 5.0 |
2014-10-30 | CVE-2013-3304 | Dell | Path Traversal vulnerability in Dell Equallogic Ps4000 Firmware 6.0 Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. | 5.0 |
2014-10-29 | CVE-2014-8525 | Mcafee | Information Exposure vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | 5.0 |
2014-10-29 | CVE-2014-8524 | Mcafee | Information Exposure vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable the autocomplete setting for the password and other fields, which allows remote attackers to obtain sensitive information via unspecified vectors. | 5.0 |
2014-10-29 | CVE-2014-8520 | Mcafee | Information Exposure vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information via vectors related to open network ports. | 5.0 |
2014-10-29 | CVE-2014-6149 | IBM | Path Traversal vulnerability in IBM Tivoli Application Dependency Discovery Manager Directory traversal vulnerability in BIRT-viewer in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.0.0 through 7.2.0.10, 7.2.1.0 through 7.2.1.6, and 7.2.2.0 through 7.2.2.2 allows remote authenticated users to read arbitrary files via unspecified vectors. | 5.0 |
2014-10-29 | CVE-2014-3698 | Pidgin | Information Exposure vulnerability in Pidgin The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. | 5.0 |
2014-10-29 | CVE-2014-3696 | Pidgin | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Pidgin nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. | 5.0 |
2014-10-29 | CVE-2014-3695 | Pidgin | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Pidgin markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. | 5.0 |
2014-10-28 | CVE-2014-4821 | IBM | Information Exposure vulnerability in IBM Websphere Portal IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 provides different web-server error codes depending on whether a requested file exists, which allows remote attackers to determine the validity of filenames via a series of requests. | 5.0 |
2014-10-28 | CVE-2014-3293 | Cisco | Resource Management Errors vulnerability in Cisco Asr901 and IOS Cisco IOS 15.4(3)S0b on ASR901 devices makes incorrect decisions to use the CPU for IPv4 packet processing, which allows remote attackers to cause a denial of service (BGP neighbor flapping) by sending many crafted IPv4 packets, aka Bug ID CSCuo29736. | 5.0 |
2014-10-27 | CVE-2014-3955 | Freebsd | Improper Input Validation vulnerability in Freebsd routed in FreeBSD 8.4 through 10.1-RC2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an RIP request from a source not on a directly connected network. | 5.0 |
2014-10-27 | CVE-2014-3711 | Freebsd | Resource Management Errors vulnerability in Freebsd namei in FreeBSD 9.1 through 10.1-RC2 allows remote attackers to cause a denial of service (memory exhaustion) via vectors that trigger a sandboxed process to look up a large number of nonexistent path names. | 5.0 |
2014-10-30 | CVE-2014-7877 | HP | Local Denial Of Service vulnerability in HP Hp-Ux B.11.31 Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors. | 4.9 |
2014-10-29 | CVE-2014-8535 | Mcafee | Unspecified vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0 McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to bypass intended restriction on unspecified functionality via unknown vectors. | 4.6 |
2014-10-27 | CVE-2012-1111 | Robert Ancell | Information Exposure vulnerability in Robert Ancell Lightdm lightdm before 1.0.9 does not properly close file descriptors before opening a child process, which allows local users to write to the lightdm log or have other unspecified impact. | 4.6 |
2014-10-27 | CVE-2010-4820 | Ghostscript | Code Injection vulnerability in Ghostscript 8.62 Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055. | 4.4 |
2014-10-31 | CVE-2014-8577 | Croogo | Cross-Site Scripting vulnerability in Croogo Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) data[Block][alias] parameter to admin/blocks/blocks/edit page; (4) data[Region][title] parameter to admin/blocks/regions/add page; (5) data[Menu][title] or (6) data[Menu][alias] parameter to admin/menus/menus/add page; or (7) data[Link][title] parameter to admin/menus/links/add/menu page. | 4.3 |
2014-10-31 | CVE-2014-7987 | Espocrm | Cross-Site Scripting vulnerability in Espocrm Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php. | 4.3 |
2014-10-31 | CVE-2014-2336 | Fortinet | Cross-Site Scripting vulnerability in Fortinet Fortianalyzer Firmware and Fortimanager Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335. | 4.3 |
2014-10-31 | CVE-2014-2335 | Fortinet | Cross-Site Scripting vulnerability in Fortinet Fortianalyzer Firmware Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336. | 4.3 |
2014-10-31 | CVE-2014-2334 | Fortinet | Cross-Site Scripting vulnerability in Fortinet Fortianalyzer Firmware Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336. | 4.3 |
2014-10-31 | CVE-2014-6101 | IBM | Cross-Site Scripting vulnerability in IBM Business Process Manager Cross-site scripting (XSS) vulnerability in the redirect-login feature in IBM Business Process Manager (BPM) Advanced 7.5 through 8.5.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 4.3 |
2014-10-31 | CVE-2014-3375 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Communications Manager Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597. | 4.3 |
2014-10-31 | CVE-2014-3374 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Communications Manager Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582. | 4.3 |
2014-10-31 | CVE-2014-3373 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Communications Manager Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550. | 4.3 |
2014-10-31 | CVE-2014-3372 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Communications Manager Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589. | 4.3 |
2014-10-29 | CVE-2014-3051 | IBM | Cryptographic Issues vulnerability in IBM Tivoli Composite Application Manager for Transactions The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain credential information via a crafted certificate. | 4.3 |
2014-10-28 | CVE-2014-6126 | IBM | Cross-Site Scripting vulnerability in IBM Websphere Portal 8.5.0.0 Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2014-10-28 | CVE-2014-8505 | Etiko | Cross-Site Scripting vulnerability in Etiko CMS Multiple cross-site scripting (XSS) vulnerabilities in Etiko CMS allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php. | 4.3 |
2014-10-28 | CVE-2014-4023 | F5 | Cross-Site Scripting vulnerability in F5 products Cross-site scripting (XSS) vulnerability in tmui/dashboard/echo.jsp in the Configuration utility in F5 BIG-IP LTM, APM, ASM, GTM, and Link Controller 11.0.0 before 11.6.0 and 10.1.0 through 10.2.4, AAM 11.4.0 before 11.6.0, AFM and PEM 11.3.0 before 11.6.0, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 11.0.0 through 11.3.0 and 10.1.0 through 10.2.4, and PSM 11.0.0 through 11.4.1 and 10.1.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2014-10-27 | CVE-2014-4586 | WP Football Project | Cross-Site Scripting vulnerability in Wp-Football Project Wp-Football 1.0.1/1.1 Multiple cross-site scripting (XSS) vulnerabilities in the wp-football plugin 1.1 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the league parameter to (1) football_classification.php, (2) football_criteria.php, (3) templates/template_default_preview.php, or (4) templates/template_worldCup_preview.php; the (5) f parameter to football-functions.php; the id parameter in an "action" action to (6) football_groups_list.php, (7) football_matches_list.php, (8) football_matches_phase.php, or (9) football_phases_list.php; or the (10) id_league parameter in a delete action to football_matches_load.php. | 4.3 |
2014-10-31 | CVE-2014-8333 | Redhat Openstack | Resource Management Errors vulnerability in multiple products The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state. | 4.0 |
2014-10-31 | CVE-2014-7177 | Enalean | XML External Entity Information Disclosure vulnerability in Enalean Tuleap XML External Entity vulnerability in Enalean Tuleap 7.2 and earlier allows remote authenticated users to read arbitrary files via a crafted xml document in a create action to plugins/tracker/. | 4.0 |
2014-10-27 | CVE-2014-8327 | FAL Sftp Project | Information Disclosure vulnerability in FAL Sftp Project FAL Sftp 0.2.4 The fal_sftp extension before 0.2.6 for TYPO3 uses weak permissions for sFTP driver files and folders, which allows remote authenticated users to obtain sensitive information via unspecified vectors. | 4.0 |
17 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2014-10-29 | CVE-2014-8532 | Mcafee | Information Disclosure Weakness in McAfee Network Data Loss Prevention 8.6/9.2.0/9.2.1 Unspecified vulnerability in McAfee Network Data Loss Prevention before (NDLP) before 9.3 allows local users to obtain sensitive information and impact integrity via unknown vectors, related to partition mounting. | 3.6 |
2014-10-29 | CVE-2014-8527 | Mcafee | Credentials Management vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information and affect integrity via vectors related to a "plain text password." | 3.6 |
2014-10-31 | CVE-2014-8578 | Openstack | Cross-Site Scripting vulnerability in Openstack Horizon Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475. | 3.5 |
2014-10-31 | CVE-2014-6150 | IBM | Cross-Site Scripting vulnerability in IBM Tivoli Application Dependency Discovery Manager Cross-site scripting (XSS) vulnerability in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.1.0 through 7.2.1.6 and 7.2.2.0 through 7.2.2.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 3.5 |
2014-10-31 | CVE-2014-6148 | IBM | Improper Authentication vulnerability in IBM Tivoli Application Dependency Discovery Manager IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.0.0 through 7.2.0.10, 7.2.1.0 through 7.2.1.6, and 7.2.2.0 through 7.2.2.2 does not require TADDM authentication for rptdesign downloads, which allows remote authenticated users to obtain sensitive database information via a crafted URL. | 3.5 |
2014-10-29 | CVE-2014-8521 | Mcafee | Cross-Site Request Forgery (CSRF) vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 Cross-site scripting (XSS) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2014-10-28 | CVE-2014-4814 | IBM | Resource Management Errors vulnerability in IBM Websphere Portal IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 does not properly detect recursion during entity expansion, which allows remote authenticated users to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | 3.5 |
2014-11-01 | CVE-2014-8243 | Linksys | Cryptographic Issues vulnerability in Linksys products Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain the administrator's MD5 password hash via a direct request for the /.htpasswd URI. | 3.3 |
2014-10-31 | CVE-2014-8399 | Shim Project | Unspecified vulnerability in Shim Project Shim 8 The default configuration in systemd-shim 8 enables the Abandon debugging clause, which allows local users to cause a denial of service via unspecified vectors. | 2.1 |
2014-10-29 | CVE-2014-8537 | Mcafee | Information Exposure vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0 McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading the logs. | 2.1 |
2014-10-29 | CVE-2014-8536 | Mcafee | Information Exposure vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0 McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages. | 2.1 |
2014-10-29 | CVE-2014-8534 | Mcafee | Unspecified vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0 Unspecified vulnerability in the login form in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to cause a denial of service via a crafted value in the domain field. | 2.1 |
2014-10-29 | CVE-2014-8529 | Mcafee | Cryptographic Issues vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH key in cleartext, which allows local users to obtain sensitive information via unspecified vectors. | 2.1 |
2014-10-29 | CVE-2014-8528 | Mcafee | Information Exposure vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs, which allows local users to obtain sensitive information by reading the audit log. | 2.1 |
2014-10-29 | CVE-2014-8526 | Mcafee | Information Exposure vulnerability in Mcafee Network Data Loss Prevention 8.6/9.2.0/9.2.1 McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information by reading a Java stack trace. | 2.1 |
2014-10-29 | CVE-2014-8519 | Mcafee | Local Information Disclosure vulnerability in McAfee Network Data Loss Prevention 8.6/9.2.0 Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to read arbitrary files via unknown vectors. | 2.1 |
2014-10-29 | CVE-2014-8518 | Mcafee | Credentials Management vulnerability in Mcafee products The (1) Removable Media and (2) CD and DVD encryption offsite access options (formerly Endpoint Encryption for Removable Media or EERM) in McAfee File and Removable Media Protection (FRP) 4.3.0.x, and Endpoint Encryption for Files and Folders (EEFF) 3.2.x through 4.2.x, uses a hard-coded salt, which makes it easier for local users to obtain passwords via a brute force attack. | 2.1 |