Weekly Vulnerabilities Reports > December 29, 2014 to January 4, 2015
Overview
119 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 106 products from 100 vendors including Smoothwall, IBM, Mediawiki, Basic CMS, and Cherry Design. Vulnerabilities are notably categorized as "Cross-Site Request Forgery (CSRF)", "Cross-site Scripting", "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Path Traversal".
- 116 reported vulnerabilities are remotely exploitables.
- 10 reported vulnerabilities have public exploit available.
- 56 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 111 reported vulnerabilities are exploitable by an anonymous user.
- Smoothwall has the most reported vulnerabilities, with 5 reported vulnerabilities.
- HEX Rays has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-01-02 | CVE-2014-9458 | HEX Rays | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hex-Rays IDA 6.6 Heap-based buffer overflow in the GDB debugger module in Hex-Rays IDA Pro before 6.6 cumulative fix 2014-12-24 allows remote GDB servers to have unspecified impact via unknown vectors. | 10.0 |
2015-01-02 | CVE-2014-9456 | DON HO | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in DON HO Notepad++ 6.6.9 Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. | 10.0 |
2014-12-29 | CVE-2014-1905 | Videowhisper | Command Injection vulnerability in Videowhisper Live Streaming Integration Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename. | 10.0 |
2015-01-01 | CVE-2011-5295 | Gogago | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Gogago Youtube Video Converter 1.1.6 Buffer overflow in the Download method in a certain ActiveX control in MDIEEx.dll in Gogago YouTube Video Converter 1.1.6 allows remote attackers to execute arbitrary code via a long argument. | 9.3 |
2015-01-01 | CVE-2011-5293 | Threediffy | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Threediffy Threedify Designer 5.0.2 The cmdSave method in the ThreeDify.ThreeDifyDesigner.1 ActiveX control in ActiveSolid.dll in ThreeDify Designer 5.0.2 allows remote attackers to write to arbitrary files via a pathname in the argument. | 9.3 |
2015-01-01 | CVE-2011-5288 | Threedify | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Threedify Designer 5.0.2 Multiple buffer overflows in the ThreeDify.ThreeDifyDesigner.1 ActiveX control in ActiveSolid.dll in ThreeDify Designer 5.0.2 allow remote attackers to execute arbitrary code via a long argument to the (1) cmdExport, (2) cmdImport, (3) cmdOpen, or (4) cmdSave method. | 9.3 |
18 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-01-04 | CVE-2014-9509 | Typo3 | Improper Input Validation vulnerability in Typo3 The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page. | 7.5 |
2015-01-04 | CVE-2014-9277 | Mediawiki | Command Injection vulnerability in Mediawiki The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>. | 7.5 |
2015-01-03 | CVE-2014-9464 | Microweber | SQL Injection vulnerability in Microweber SQL injection vulnerability in Category.php in Microweber CMS 0.95 before 20141209 allows remote attackers to execute arbitrary SQL commands via the category parameter when displaying a category, related to the $parent_id variable. | 7.5 |
2015-01-03 | CVE-2010-5317 | Basic CMS | SQL Injection vulnerability in Basic-Cms Sweetrice 0.6.7.1 Multiple SQL injection vulnerabilities in index.php in SweetRice CMS before 0.6.7.1 allow remote attackers to execute arbitrary SQL commands via (1) the file_name parameter in an attachment action, (2) the post parameter in a show_comment action, (3) the sys-name parameter in an rssfeed action, or (4) the sys-name parameter in a view action. | 7.5 |
2015-01-02 | CVE-2014-9455 | CTS Projects Software | SQL Injection vulnerability in CTS Projects&Software Classad 3.0 SQL injection vulnerability in showads.php in CTS Projects & Software ClassAd 3.0 allows remote attackers to execute arbitrary SQL commands via the catid parameter. | 7.5 |
2015-01-02 | CVE-2014-9451 | Vdgsecurity | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Vdgsecurity VDG Sense 2.3.13 Multiple stack-based buffer overflows in the DIVA web service API (/webservice) in VDG Security SENSE (formerly DIVA) 2.3.13 allow remote attackers to execute arbitrary code via the (1) user or (2) password parameter in an AuthenticateUser request. | 7.5 |
2015-01-02 | CVE-2014-9450 | Zabbix | SQL Injection vulnerability in Zabbix Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter. | 7.5 |
2015-01-02 | CVE-2014-9448 | Mini Stream | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mini-Stream Rm-Mp3 Converter 3.1.2.1.2010.03.30 Buffer overflow in Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long string in a WAX file. | 7.5 |
2015-01-02 | CVE-2014-9445 | Installatron | SQL Injection vulnerability in Installatron Gatequest File Manager 0.2.5 SQL injection vulnerability in incl/create.inc.php in Installatron GQ File Manager 0.2.5 allows remote attackers to execute arbitrary SQL commands via the create parameter to index.php. | 7.5 |
2015-01-02 | CVE-2014-9440 | Phpmyrecipes Project | SQL Injection vulnerability in PHPmyrecipes Project PHPmyrecipes 1.2.2 SQL injection vulnerability in browse.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the category parameter. | 7.5 |
2015-01-01 | CVE-2011-5313 | Redaxscript | SQL Injection vulnerability in Redaxscript 0.3.2 Multiple SQL injection vulnerabilities in includes/password.php in Redaxscript 0.3.2 allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) password parameter to the password_reset program. | 7.5 |
2015-01-01 | CVE-2011-5308 | Cdnvote Project | SQL Injection vulnerability in Cdnvote Project Cdnvote 0.4.1 Multiple SQL injection vulnerabilities in cdnvote-post.php in the cdnvote plugin before 0.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) cdnvote_post_id or (2) cdnvote_point parameter. | 7.5 |
2015-01-01 | CVE-2011-5292 | Easewe Software | Permissions, Privileges, and Access Controls vulnerability in Easewe Software Easewe FTP OCX Activex Control 4.5.0.9 The EaseWeFtp.FtpLibrary ActiveX control in EaseWeFtp.ocx in Easewe FTP OCX 4.5.0.9 does not restrict access to certain methods, which allows remote attackers to execute arbitrary files via a pathname in the first argument to the (1) Execute or (2) Run method, (3) write to arbitrary files via a pathname in the argument to the CreateLocalFile method, (4) create arbitrary directories via a pathname in the argument to the CreateLocalFolder method, or (5) delete arbitrary files via a pathname in the argument to the DeleteLocalFile method. | 7.5 |
2015-01-01 | CVE-2011-5286 | Social Slider Project | SQL Injection vulnerability in Social Slider Project Social Slider 7.4.0 SQL injection vulnerability in social-slider-2/ajax.php in the Social Slider plugin before 7.4.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the rA array parameter. | 7.5 |
2014-12-31 | CVE-2014-8145 | Sound Exchange Project Debian Oracle | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Multiple heap-based buffer overflows in Sound eXchange (SoX) 14.4.1 and earlier allow remote attackers to have unspecified impact via a crafted WAV file to the (1) start_read or (2) AdpcmReadBlock function. | 7.5 |
2014-12-31 | CVE-2014-9254 | Minibb | SQL Injection vulnerability in Minibb 3.1 bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to index.php. | 7.5 |
2014-12-30 | CVE-2013-3295 | Exponentcms | Path Traversal vulnerability in Exponentcms Exponent CMS Directory traversal vulnerability in install/popup.php in Exponent CMS before 2.2.0 RC1 allows remote attackers to include and execute arbitrary local files via a .. | 7.5 |
2014-12-29 | CVE-2014-9424 | Openbsd | Denial-Of-Service vulnerability in Libressl Double free vulnerability in the ssl_parse_clienthello_use_srtp_ext function in d1_srtp.c in LibreSSL before 2.1.2 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a certain length-verification error during processing of a DTLS handshake. | 7.5 |
88 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-01-03 | CVE-2010-5320 | Memht | Cross-Site Request Forgery (CSRF) vulnerability in Memht Portal 4.0.1 Multiple cross-site request forgery (CSRF) vulnerabilities in MemHT Portal 4.0.1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify settings via a configuration action to admin.php, (2) modify articles via an articles action to admin.php, or (3) modify credentials via a users action to admin.php. | 6.8 |
2015-01-03 | CVE-2010-5319 | KAN Studio | Cross-Site Request Forgery (CSRF) vulnerability in Kan-Studio Kandidat CMS 1.4.2 Multiple cross-site request forgery (CSRF) vulnerabilities in Kandidat CMS 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) modify settings via a validate action to admin/settings.php, (2) modify pages via the what parameter to admin/edit.php, or (3) modify articles via the edit parameter to admin/news.php. | 6.8 |
2015-01-03 | CVE-2010-5315 | Chialab Channelweb | Cross-Site Request Forgery (CSRF) vulnerability in Chialab & Channelweb Bedita Multiple cross-site request forgery (CSRF) vulnerabilities in BEdita before 3.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create categories via a data array to news/saveCategories or (2) modify credentials via a data array to admin/saveUser. | 6.8 |
2015-01-02 | CVE-2014-9460 | Justin Klein | Cross-Site Request Forgery (CSRF) vulnerability in Justin Klein Wp-Vipergb 1.3.10 Multiple cross-site request forgery (CSRF) vulnerabilities in the WP-ViperGB plugin before 1.3.11 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) vgb_page or (3) vgb_items_per_pg parameter in the wp-vipergb page to wp-admin/options-general.php. | 6.8 |
2015-01-02 | CVE-2014-9459 | E107 | Cross-Site Request Forgery (CSRF) vulnerability in E107 2.0 Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action. | 6.8 |
2015-01-02 | CVE-2014-9454 | Simple Sticky Footer Project | Cross-Site Request Forgery (CSRF) vulnerability in Simple Sticky Footer Project Simple Sticky Footer 1.3.2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Simple Sticky Footer plugin before 1.3.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) simple_sf_width or (3) simple_sf_style parameter in the simple-simple-sticky-footer page to wp-admin/themes.php. | 6.8 |
2015-01-02 | CVE-2014-9441 | Lightbox Photo Gallery Project | Cross-Site Request Forgery (CSRF) vulnerability in Lightbox Photo Gallery Project Lightbox Photo Gallery 1.0 Multiple cross-site request forgery (CSRF) vulnerabilities in the Lightbox Photo Gallery plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) ll__opt[image2_url] or (3) ll__opt[image3_url] parameter in a ll_save_settings action to wp-admin/admin-ajax.php. | 6.8 |
2015-01-02 | CVE-2014-9438 | Vbulletin | Cross-Site Request Forgery (CSRF) vulnerability in Vbulletin 4.2.2 Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2) unban a user, (3) modify user profiles, edit a (4) post or (5) topic, or approve a (6) post or (7) topic via unspecified vectors. | 6.8 |
2015-01-02 | CVE-2014-9437 | Sliding Social Icons Project | Cross-Site Request Forgery (CSRF) vulnerability in Sliding Social Icons Project Sliding Social Icons 1.61 Multiple cross-site request forgery (CSRF) vulnerabilities in the Sliding Social Icons plugin 1.61 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or (2) conduct cross-site scripting (XSS) attacks via the sc_social_slider_margin parameter in a wpbs_save_settings action in the wpbs_panel page to wp-admin/admin.php. | 6.8 |
2015-01-01 | CVE-2011-5318 | Diafan | Cross-Site Request Forgery (CSRF) vulnerability in Diafan Diafan.Cms 5.0 Multiple cross-site request forgery (CSRF) vulnerabilities in diafan.CMS before 5.1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify articles via a save_post action to admin/news/saveNEWS_ID/, (2) modify settings via a save_post action to admin/site/save2/, or (3) modify credentials via a save_post action to admin/usersite/save2/. | 6.8 |
2015-01-01 | CVE-2011-5316 | Cambio Project | Cross-Site Request Forgery (CSRF) vulnerability in Cambio Project Cambio 0.5A Cross-site request forgery (CSRF) vulnerability in admin/index.php in Cambio 0.5a nightly r37 allows remote attackers to hijack the authentication of administrators for requests that modify credentials via a user save action. | 6.8 |
2015-01-01 | CVE-2011-5315 | Whcms Project | Cross-Site Request Forgery (CSRF) vulnerability in Whcms Project Whcms 0.115 Cross-site request forgery (CSRF) vulnerability in admin/index.php in whCMS 0.115 alpha allows remote attackers to hijack the authentication of administrators for requests that modify credentials via a user save action. | 6.8 |
2015-01-01 | CVE-2011-5311 | Cherry Design | Cross-Site Request Forgery (CSRF) vulnerability in Cherry-Design Wikipad 1.6.0 Cross-site request forgery (CSRF) vulnerability in pages.php in Wikipad 1.6.0 allows remote attackers to hijack the authentication of administrators for requests that modify pages via the data[text] parameter. | 6.8 |
2015-01-01 | CVE-2011-5306 | Zaunz Gmbh | Cross-Site Request Forgery (CSRF) vulnerability in Zaunz Gmbh Cosmoshop 10.05.00 Cross-site request forgery (CSRF) vulnerability in cgi-bin/admin/setup_edit.cgi in CosmoShop ePRO 10.05.00 allows remote attackers to hijack the authentication of administrators for requests that modify settings via a setup action. | 6.8 |
2015-01-01 | CVE-2011-5302 | Kubelabs | Cross-Site Request Forgery (CSRF) vulnerability in Kubelabs PHPdug 2.0.0 Cross-site request forgery (CSRF) vulnerability in adm/admin_edit.php in PHPDug 2.0.0 allows remote attackers to hijack the authentication of administrators for requests that modify credentials. | 6.8 |
2015-01-01 | CVE-2011-5300 | Pommo | Cross-Site Request Forgery (CSRF) vulnerability in Pommo Pommo-Ardvark Pr16.1 Cross-site request forgery (CSRF) vulnerability in admin/setup/config/users.php in poMMo Aardvark PR16.1 allows remote attackers to hijack the authentication of administrators for requests that modify credentials via certain admin_ parameters. | 6.8 |
2015-01-01 | CVE-2011-5298 | Viralheat | Cross-Site Request Forgery (CSRF) vulnerability in Viralheat Argyle Social 20110426 Multiple cross-site request forgery (CSRF) vulnerabilities in Argyle Social 2011-04-26 allow remote attackers to hijack the authentication of administrators for requests that (1) modify credentials via the role parameter to users/create/, (2) modify rules via the terms field in stream_filter_rule JSON data to settings-ajax/stream_filter_rules/create, or (3) modify efforts via the title field in effort JSON data to publish-ajax/efforts/create. | 6.8 |
2014-12-31 | CVE-2014-9431 | Smoothwall | Cross-Site Request Forgery (CSRF) vulnerability in Smoothwall 3.0/3.1 Multiple cross-site request forgery (CSRF) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to hijack the authentication of administrators for requests that change the (1) admin or (2) dial password via a request to httpd/cgi-bin/changepw.cgi. | 6.8 |
2014-12-31 | CVE-2014-8144 | Doorkeeper Project | Cross-Site Request Forgery (CSRF) vulnerability in Doorkeeper Project Doorkeeper Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors. | 6.8 |
2014-12-31 | CVE-2011-5284 | Smoothwall | Cross-Site Request Forgery (CSRF) vulnerability in Smoothwall 3.0/3.1 Cross-site request forgery (CSRF) vulnerability in the web management interface in httpd/cgi-bin/shutdown.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to hijack the authentication of administrators for requests that perform a reboot via a request to cgi-bin/shutdown.cgi. | 6.8 |
2014-12-31 | CVE-2014-9401 | WP Limit Posts Automatically Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Limit Posts Automatically Project WP Limit Posts Automatically 0.7 Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the lpa_post_letters parameter in the wp-limit-posts-automatically.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9400 | WP Unique Article Header Image Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Unique Article Header Image Project WP Unique Article Header Image 1.0 Multiple cross-site request forgery (CSRF) vulnerabilities in the Wp Unique Article Header Image plugin 1.0 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) gt_default_header or (2) gt_homepage_header parameter in the wp-unique-header.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9399 | Tweetscribe Project | Cross-Site Request Forgery (CSRF) vulnerability in Tweetscribe Project Tweetscribe 1.1 Cross-site request forgery (CSRF) vulnerability in the TweetScribe plugin 1.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the tweetscribe_username parameter in a save action in the tweetscribe.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9398 | Twitter Liveblog Project | Cross-Site Request Forgery (CSRF) vulnerability in Twitter Liveblog Project Twitter Liveblog 1.1.2 Cross-site request forgery (CSRF) vulnerability in the Twitter LiveBlog plugin 1.1.2 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the mashtlb_twitter_username parameter in the twitter-liveblog.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9397 | Twimp WP Project | Cross-Site Request Forgery (CSRF) vulnerability in Twimp-Wp Project Twimp-Wp 0.1 Cross-site request forgery (CSRF) vulnerability in the twimp-wp plugin for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the message_format parameter in the twimp-wp.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9396 | Simpleflickr Project | Cross-Site Request Forgery (CSRF) vulnerability in Simpleflickr Project Simpleflickr 3.0.3 Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleFlickr plugin 3.0.3 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simpleflickr_width, (2) simpleflickr_bgcolor, or (3) simpleflickr_xmldatapath parameter in the simpleFlickr.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9395 | Simplelife Project | Cross-Site Request Forgery (CSRF) vulnerability in Simplelife Project Simplelife 1.2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Simplelife plugin 1.2 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simplehoverback, (2) simplehovertext, (3) flickrback, or (4) simple_flimit parameter in the simplelife.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9394 | Pwgrandom Project | Cross-Site Request Forgery (CSRF) vulnerability in Pwgrandom Project Pwgrandom 1.11 Multiple cross-site request forgery (CSRF) vulnerabilities in the PWGRandom plugin 1.11 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) pwgrandom_title or (2) pwgrandom_category parameter in the pwgrandom page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9393 | Post TO Twitter Project | Cross-Site Request Forgery (CSRF) vulnerability in Post TO Twitter Project Post TO Twitter 0.7 Multiple cross-site request forgery (CSRF) vulnerabilities in the Post to Twitter plugin 0.7 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) idptt_twitter_username or (2) idptt_tweet_prefix parameter to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9392 | Pictobrowser Project | Cross-Site Request Forgery (CSRF) vulnerability in Pictobrowser Project Pictobrowser 0.3.1 Cross-site request forgery (CSRF) vulnerability in the PictoBrowser (pictobrowser-gallery) plugin 0.3.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the pictoBrowserFlickrUser parameter in the options-page.php page to wp-admin/options-general.php. | 6.8 |
2014-12-31 | CVE-2014-9391 | Gslideshow Project | Cross-Site Request Forgery (CSRF) vulnerability in Gslideshow Project Gslideshow 0.1 Multiple cross-site request forgery (CSRF) vulnerabilities in the gSlideShow plugin 0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) rss, (2) display_time or (3) transistion_time parameter in the gslideshow.php page to wp-admin/options-general.php. | 6.8 |
2014-12-29 | CVE-2014-3556 | F5 | Command Injection vulnerability in F5 Nginx The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. | 6.8 |
2015-01-02 | CVE-2013-7418 | Ipcop | Command Injection vulnerability in Ipcop 2.1.2/2.1.4 cgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 allows remote authenticated users to execute arbitrary code via shell metacharacters in the TABLE parameter. | 6.5 |
2015-01-02 | CVE-2014-9457 | PMB Services | SQL Injection vulnerability in PMB Services PMB 4.1.3 SQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php. | 6.5 |
2015-01-02 | CVE-2014-9442 | Reality66 | SQL Injection vulnerability in Reality66 Cart66 Lite 1.5.3 SQL injection vulnerability in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.4 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the q parameter in a promotionProductSearch action to wp-admin/admin-ajax.php. | 6.5 |
2015-01-02 | CVE-2014-9435 | Absolutengine | SQL Injection vulnerability in Absolutengine Absolut Engine 1.73 Multiple SQL injection vulnerabilities in Absolut Engine 1.73 allow remote authenticated users to execute arbitrary SQL commands via the (1) sectionID parameter to admin/managersection.php, (2) userID parameter to admin/edituser.php, (3) username parameter to admin/admin.php, or (4) title parameter to admin/managerrelated.php. | 6.5 |
2015-01-02 | CVE-2014-9447 | Elfutils Project | Path Traversal vulnerability in Elfutils Project Elfutils 0.152/0.161 Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. | 6.4 |
2015-01-01 | CVE-2011-5294 | Kofax | Permissions, Privileges, and Access Controls vulnerability in Kofax E-Transactions Sender Sendbox 2.5.0.933 The SaveMessage method in the LEADeMail.LEADSmtp.20 ActiveX control in LTCML14n.dll 14.0.0.34 in Kofax e-Transactions Sender Sendbox 2.5.0.933 allows remote attackers to write to arbitrary files via a pathname in the first argument. | 6.4 |
2015-01-01 | CVE-2011-5291 | Ashampoo Gmbh CO | Permissions, Privileges, and Access Controls vulnerability in Ashampoo Gmbh & CO. Ashampoo 3D CAD Professional 3 3.0/3.0.1 The SaveData method in the Cygnicon.ViewControl.1 ActiveX control in CyViewer.ocx in Ashampoo 3D CAD Professional 3.x before 3.0.2 allows remote attackers to write to arbitrary files via a pathname in the first argument. | 6.4 |
2015-01-01 | CVE-2011-5290 | Idrive INC | Permissions, Privileges, and Access Controls vulnerability in Idrive INC Idrive Online Backup 3.4.0 The SaveToFile method in the UniBasicPack.UniTextBox ActiveX control in UniBasic100_EDA1811C.ocx in IDrive Online Backup 3.4.0 allows remote attackers to write to arbitrary files via a pathname in the first argument. | 6.4 |
2015-01-01 | CVE-2011-5289 | Diego Uscanga | Permissions, Privileges, and Access Controls vulnerability in Diego Uscanga Atube Catcher 2.3.570 The SaveDecrypted method in the ChilkatCrypt2.ChilkatOmaDrm.1 ActiveX control in ChilkatCrypt2.dll in aTube Catcher 2.3.570 allows remote attackers to write to arbitrary files via a pathname in the argument. | 6.4 |
2014-12-29 | CVE-2014-6168 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Security Identity Manager Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager 5.1 before 5.1.0.15 IF0056 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 6.0 |
2015-01-02 | CVE-2014-7294 | NYU | Open Redirection vulnerability in Ex Libris Patron Directory Services Open redirect vulnerability in the logon page in NYU OpenSSO Integration 2.1 and earlier for Ex Libris Patron Directory Services (PDS) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. | 5.8 |
2015-01-04 | CVE-2014-9276 | Mediawiki | Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview. | 5.1 |
2015-01-04 | CVE-2013-2131 | Rrdtool Project | Use of Externally-Controlled Format String vulnerability in Rrdtool Project Rrdtool 1.4.7 Format string vulnerability in the rrdtool module 1.4.7 for Python, as used in Zenoss, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdtool.graph function. | 5.0 |
2015-01-02 | CVE-2014-9452 | Vdgsecurity | Path Traversal vulnerability in Vdgsecurity VDG Sense 2.3.13 Directory traversal vulnerability in VDG Security SENSE (formerly DIVA) 2.3.13 allows remote attackers to read arbitrary files via a .. | 5.0 |
2015-01-02 | CVE-2014-9449 | Exiv2 Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp in Exiv2 0.24 allows remote attackers to cause a denial of service (crash) via a long IKEY INFO tag value in an AVI file. | 5.0 |
2015-01-02 | CVE-2014-9436 | Sysaid | Path Traversal vulnerability in Sysaid 14.4/6.0/6.5 Absolute path traversal vulnerability in SysAid On-Premise before 14.4.2 allows remote attackers to read arbitrary files via a \\\\ (four backslashes) in the fileName parameter to getRdsLogFile. | 5.0 |
2015-01-01 | CVE-2011-5314 | Redaxscript | Information Exposure vulnerability in Redaxscript 0.3.2 templates/default/index.php in Redaxscript 0.3.2 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. | 5.0 |
2015-01-01 | CVE-2011-5310 | Cherry Design | Path Traversal vulnerability in Cherry-Design Wikipad 1.6.0 Directory traversal vulnerability in pages.php in Wikipad 1.6.0 allows remote attackers to read arbitrary files via a .. | 5.0 |
2014-12-31 | CVE-2014-9119 | DB Backup Project | Path Traversal vulnerability in DB Backup Project DB Backup 4.5 Directory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for Wordpress allows remote attackers to read arbitrary files via a .. | 5.0 |
2014-12-29 | CVE-2014-2224 | Plogger | 7PK - Security Features vulnerability in Plogger 1.0 Plogger 1.0 RC1 and earlier, when the Lucid theme is used, does not assign new values for certain codes, which makes it easier for remote attackers to bypass the CAPTCHA protection mechanism via a series of form submissions. | 5.0 |
2014-12-29 | CVE-2014-1908 | Videowhisper | Information Exposure vulnerability in Videowhisper Live Streaming Integration The error-handling feature in (1) bp.php, (2) videowhisper_streaming.php, and (3) ls/rtmp.inc.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. | 5.0 |
2014-12-29 | CVE-2014-8132 | Libssh Debian Opensuse Fedoraproject Canonical | Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet. | 5.0 |
2014-12-30 | CVE-2014-4634 | EMC | Local Privilege Escalation vulnerability in EMC Replication Manager and AppSync Unquoted Windows search path vulnerability in EMC Replication Manager through 5.5.2 and AppSync before 2.1.0 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character. | 4.6 |
2015-01-04 | CVE-2014-9508 | Typo3 | Link Following vulnerability in Typo3 The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors. | 4.3 |
2015-01-03 | CVE-2010-5318 | Basic CMS | Credentials Management vulnerability in Basic-Cms Sweetrice 0.6.7.1 The password-reset feature in as/index.php in SweetRice CMS before 0.6.7.1 allows remote attackers to modify the administrator's password by specifying the administrator's e-mail address in the email parameter. | 4.3 |
2015-01-03 | CVE-2010-5316 | Basic CMS | Cross-site Scripting vulnerability in Basic-Cms Sweetrice 0.6.7.1 Cross-site scripting (XSS) vulnerability in as/index.php in SweetRice CMS before 0.6.7.1 allows remote attackers to inject arbitrary web script or HTML via a top_height cookie. | 4.3 |
2015-01-03 | CVE-2010-5314 | Chialab Channelweb | Cross-site Scripting vulnerability in Chialab & Channelweb Bedita Cross-site scripting (XSS) vulnerability in controllers/home_controller.php in BEdita before 3.1 allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter to news/index. | 4.3 |
2015-01-02 | CVE-2014-9453 | Simple Visitor Stat Project | Cross-site Scripting vulnerability in Simple Visitor Stat Project Simple Visitor Stat Multiple cross-site scripting (XSS) vulnerabilities in simple-visitor-stat.php in the Simple visitor stat plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP User-Agent or (2) HTTP Referer header. | 4.3 |
2015-01-02 | CVE-2014-9446 | Koha | Cross-site Scripting vulnerability in Koha Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl. | 4.3 |
2015-01-02 | CVE-2014-9444 | Frontend Uploader Project | Cross-site Scripting vulnerability in Frontend Uploader Project Frontend Uploader 0.9.2 Cross-site scripting (XSS) vulnerability in the Frontend Uploader plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the errors[fu-disallowed-mime-type][0][name] parameter to the default URI. | 4.3 |
2015-01-02 | CVE-2014-7293 | NYU | Cross-site Scripting vulnerability in NYU Opensso Integration Cross-site scripting (XSS) vulnerability in the logon page in NYU OpenSSO Integration 2.1 and earlier for Ex Libris Patron Directory Services (PDS) allows remote attackers to inject arbitrary web script or HTML via the url parameter. | 4.3 |
2015-01-02 | CVE-2014-9443 | Relevanssi | Cross-site Scripting vulnerability in Relevanssi 3.3.7.1 Cross-site scripting (XSS) vulnerability in the Relevanssi plugin before 3.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2015-01-02 | CVE-2014-9439 | Efssoft | Cross-site Scripting vulnerability in Efssoft Easy File Sharing web Server 6.8 Cross-site scripting (XSS) vulnerability in Easy File Sharing Web Server 6.8 allows remote attackers to inject arbitrary web script or HTML via the username field during registration, which is not properly handled by forum.ghp. | 4.3 |
2015-01-02 | CVE-2013-7417 | Ipcop | Cross-site Scripting vulnerability in Ipcop 2.1.2 Cross-site scripting (XSS) vulnerability in cgi-bin/ipinfo.cgi in IPCop (aka IPCop Firewall) before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING. | 4.3 |
2015-01-01 | CVE-2011-5317 | Wondercms | Cross-site Scripting vulnerability in Wondercms 0.3.3 Cross-site scripting (XSS) vulnerability in editText.php in WonderCMS before 0.4 allows remote attackers to inject arbitrary web script or HTML via the content parameter. | 4.3 |
2015-01-01 | CVE-2011-5312 | Gollos | Cross-site Scripting vulnerability in Gollos 2.8 Multiple cross-site scripting (XSS) vulnerabilities in Gollos 2.8 allow remote attackers to inject arbitrary web script or HTML via the returnurl parameter to (1) register.aspx, (2) publication/info.aspx, or (3) user/add.aspx, or (4) the q parameter to product/list.aspx. | 4.3 |
2015-01-01 | CVE-2011-5309 | Cherry Design | Cross-site Scripting vulnerability in Cherry-Design Wikipad 1.6.0 Cross-site scripting (XSS) vulnerability in pages.php in Wikipad 1.6.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | 4.3 |
2015-01-01 | CVE-2011-5307 | Photosmash Project | Cross-site Scripting vulnerability in Photosmash Project Photosmash 1.01 Cross-site scripting (XSS) vulnerability in index.php in the PhotoSmash plugin 1.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. | 4.3 |
2015-01-01 | CVE-2011-5305 | Zaunz Gmbh | Cross-site Scripting vulnerability in Zaunz Gmbh Cosmoshop 10.05.00 Multiple cross-site scripting (XSS) vulnerabilities in CosmoShop ePRO 10.05.00 allow remote attackers to inject arbitrary web script or HTML via (1) the rcopy parameter to cgi-bin/admin/rubrikadmin.cgi, (2) the typ parameter to cgi-bin/admin/artikeladmin.cgi, or (3) the suchbegriff parameter to cgi-bin/admin/shophilfe_suche.cgi. | 4.3 |
2015-01-01 | CVE-2011-5304 | Sodahead | Cross-site Scripting vulnerability in Sodahead Polls 2.0.3 Multiple cross-site scripting (XSS) vulnerabilities in the Sodahead Polls plugin before 2.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) the poll_id parameter to customizer.php or (2) the customize parameter to poll.php. | 4.3 |
2015-01-01 | CVE-2011-5303 | Clausmuus | Cross-site Scripting vulnerability in Clausmuus Spitfire 1.0436 Cross-site scripting (XSS) vulnerability in Spitfire CMS 1.0.436 allows remote attackers to inject arbitrary web script or HTML via a cms_username cookie. | 4.3 |
2015-01-01 | CVE-2011-5301 | Kubelabs | Cross-site Scripting vulnerability in Kubelabs PHPdug 2.0.0 Multiple cross-site scripting (XSS) vulnerabilities in PHPDug 2.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the story_url parameter to add_story.php, (2) the email parameter to editprofile.php, (3) the title parameter to adm/content_add.php, or (4) the username parameter to adm/admin_edit.php. | 4.3 |
2015-01-01 | CVE-2011-5299 | Pommo | Cross-site Scripting vulnerability in Pommo Pommo-Ardvark Pr16.1 Multiple cross-site scripting (XSS) vulnerabilities in poMMo Aardvark PR16.1 allow remote attackers to inject arbitrary web script or HTML via (1) the referer parameter to index.php, (2) the site_name parameter to admin/setup/config/general.php, (3) the group_name parameter to admin/subscribers/subscribers_groups.php, or (4) the field_name parameter to admin/setup/setup_fields.php. | 4.3 |
2015-01-01 | CVE-2011-5297 | Ttfreeware | Cross-site Scripting vulnerability in Ttfreeware Tigertoms Chat Room 1.0.4 Multiple cross-site scripting (XSS) vulnerabilities in TTChat 1.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the msg parameter to default.php or (2) the username parameter to chat_form.php. | 4.3 |
2015-01-01 | CVE-2011-5296 | Tuttophp | Cross-site Scripting vulnerability in Tuttophp Happy Chat 1.0 Cross-site scripting (XSS) vulnerability in profilo.php in Happy Chat 1.0 allows remote attackers to inject arbitrary web script or HTML via the nick parameter. | 4.3 |
2015-01-01 | CVE-2011-5287 | Hesk | Cross-site Scripting vulnerability in Hesk 2.4.0 Multiple cross-site scripting (XSS) vulnerabilities in HESK before 2.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) hesk_settings[tmp_title] or (2) hesklang[ENCODING] parameter to inc/header.inc.php; the hesklang[attempt] parameter to (3) inc/assignment_search.inc.php, (4) inc/attachments.inc.php, (5) inc/common.inc.php, (6) inc/database.inc.php, (7) inc/prepare_ticket_search.inc.php, (8) inc/print_tickets.inc.php, (9) inc/show_admin_nav.inc.php, (10) inc/show_search_form.inc.php, or (11) inc/ticket_list.inc.php; or (12) the PATH_INFO to language/en/text.php. | 4.3 |
2015-01-01 | CVE-2011-5285 | Bugfree | Cross-site Scripting vulnerability in Bugfree 2.1.3 Multiple cross-site scripting (XSS) vulnerabilities in BugFree 2.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the ActionType parameter to Bug.php, the ReportMode parameter to (2) Report.php or (3) ReportLeft.php, or the PATH_INFO to (4) AdminProjectList.php, (5) AdminGroupList.php, or (6) AdminUserLogList.php. | 4.3 |
2014-12-31 | CVE-2014-9432 | S9Y | Cross-Site Scripting vulnerability in S9Y Serendipity 2.0 Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arbitrary web script or HTML via a blog comment in the QUERY_STRING to serendipity/index.php. | 4.3 |
2014-12-31 | CVE-2014-9430 | Smoothwall | Cross-Site Scripting vulnerability in Smoothwall 3.0 Cross-site scripting (XSS) vulnerability in httpd/cgi-bin/vpn.cgi/vpnconfig.dat in Smoothwall Express 3.0 SP3 allows remote attackers to inject arbitrary web script or HTML via the COMMENT parameter in an Add action. | 4.3 |
2014-12-31 | CVE-2014-9429 | Smoothwall | Cross-Site Scripting vulnerability in Smoothwall 3.0/3.1 Multiple cross-site scripting (XSS) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to inject arbitrary web script or HTML via the (1) PROFILENAME parameter in a Save action to httpd/cgi-bin/pppsetup.cgi or (2) COMMENT parameter in an Add action to httpd/cgi-bin/ddns.cgi. | 4.3 |
2014-12-31 | CVE-2011-5283 | Smoothwall | Cross-Site Scripting vulnerability in Smoothwall 3.0/3.1 Cross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web script or HTML via the IP parameter in a Run action. | 4.3 |
2014-12-31 | CVE-2014-9367 | Twiki | Cross-Site Scripting vulnerability in Twiki 6.0.0/6.0.1 Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch. | 4.3 |
2014-12-31 | CVE-2014-9325 | Twiki | Cross-Site Scripting vulnerability in Twiki 6.0.1 Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences. | 4.3 |
2014-12-31 | CVE-2014-8752 | JCE Tech | Cross-Site Scripting vulnerability in Jce-Tech Video Niche Script 4.0 Multiple cross-site scripting (XSS) vulnerabilities in view.php in JCE-Tech PHP Video Script (aka Video Niche Script) 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) video or (2) title parameter. | 4.3 |
2014-12-30 | CVE-2014-4630 | Dell | Cryptographic Issues vulnerability in Dell Bsafe Micro-Edition-Suite and Bsafe Ssl-J EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.6 and RSA BSAFE SSL-J before 6.1.4 do not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack." | 4.3 |
2014-12-30 | CVE-2011-2727 | Tribiq | Information Exposure vulnerability in Tribiq CMS The (1) templatewrap/templatefoot.php, (2) cmsjs/plugin.js.php, and (3) cmsincludes/cms_plugin_api_link.inc.php scripts in Tribal Tribiq CMS before 5.2.7c allow remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. | 4.3 |
7 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-01-04 | CVE-2014-9506 | Mantisbt | Information Exposure vulnerability in Mantisbt MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues. | 3.5 |
2015-01-02 | CVE-2014-9461 | Reality66 | Path Traversal vulnerability in Reality66 Cart66 Lite 1.5.1.17/1.5.3 Directory traversal vulnerability in models/Cart66.php in the Cart66 Lite plugin before 1.5.4 for WordPress allows remote authenticated users to read arbitrary files via a .. | 3.5 |
2015-01-02 | CVE-2014-9434 | Absolutengine | Cross-site Scripting vulnerability in Absolutengine Absolut Engine 1.73 Cross-site scripting (XSS) vulnerability in admin/managerrelated.php in the administrative backend in Absolut Engine 1.73 allows remote authenticated users to inject arbitrary web script or HTML via the title parameter. | 3.5 |
2015-01-04 | CVE-2014-9507 | Mediawiki | Cross-site Scripting vulnerability in Mediawiki MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS. | 2.6 |
2014-12-31 | CVE-2014-9433 | Contenido | Cross-Site Scripting vulnerability in Contenido Contendio Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter. | 2.6 |
2014-12-29 | CVE-2014-6160 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Service Registry and Repository 8.5 IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation. | 2.1 |
2014-12-29 | CVE-2014-6123 | IBM | Information Exposure vulnerability in IBM Rational Appscan Source and Security Appscan Source IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs. | 2.1 |