CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-2856 XSS 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.
2 CVE-2014-2844 XSS 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in F-Secure Messaging Secure Gateway 7.5.0 before Patch 1862 allows remote authenticated administrators to inject arbitrary web script or HTML via the new parameter in the SysUser module to admin.
3 CVE-2014-2733 DoS 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a denial of service (web-interface outage) via crafted HTTP requests to port (1) 4999 or (2) 80.
4 CVE-2014-2732 Dir. Trav. 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Multiple directory traversal vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80.
5 CVE-2014-2731 Exec Code 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Multiple unspecified vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to execute arbitrary code via HTTP traffic to port (1) 4999 or (2) 80.
6 CVE-2014-2665 +Info 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity.
7 CVE-2014-2597 DoS 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
PCNetSoftware RAC Server 4.0.4 and 4.0.5 allows local users to cause a denial of service (disabled keyboard or crash) via a large input buffer to unspecified IOCTL requests in RACDriver.sys, which triggers a buffer over-read.
8 CVE-2014-2522 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
curl and libcurl 7.27.0 through 7.35.0, when runnning on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
9 CVE-2014-2289 DoS 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 allows remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept headers, which triggers an invalid pointer dereference.
10 CVE-2014-2288 DoS 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request.
11 CVE-2014-2287 DoS 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.
12 CVE-2014-2286 DoS Exec Code 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.
13 CVE-2014-2155 DoS 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
The DHCPv6 server module in Cisco CNS Network Registrar 7.1 allows remote attackers to cause a denial of service (daemon reload) via a malformed DHCPv6 packet, aka Bug ID CSCuo07437.
14 CVE-2014-2014 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.
15 CVE-2014-1990 CSRF 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Cross-site request forgery (CSRF) vulnerability in TopAccess (aka the web-based management utility) on TOSHIBA TEC e-Studio 232, 233, 282, and 283 devices allows remote attackers to hijack the authentication of administrators for requests that change passwords.
16 CVE-2014-1984 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Session fixation vulnerability in the management screen in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to hijack web sessions via unspecified vectors.
17 CVE-2014-1983 DoS 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors.
18 CVE-2014-1974 Dir. Trav. 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Directory traversal vulnerability in LYSESOFT AndExplorer before 20140403 and AndExplorerPro before 20140405 allows attackers to overwrite or create arbitrary files via unspecified vectors.
19 CVE-2014-1517 +Info CSRF 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue.
20 CVE-2014-0778 +Info 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.
21 CVE-2014-0150 Exec Code Overflow 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.
22 CVE-2013-7369 Exec Code Sql 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
SQL injection vulnerability in an unspecified DLL in the FSDBCom ActiveX control in F-Secure Anti-Virus for Microsoft Exchange Server before HF02, Anti-Virus for Windows Servers 9.00 before HF09, Anti-Virus for Citrix Servers 9.00 before HF09, and F-Secure Email and Server Security and F-Secure Server Security 9.20 before HF01 allows remote attackers to execute arbitrary SQL commands via unknown vectors, related to GetCommand.
23 CVE-2013-7196 Bypass 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authenticated users to bypass intended "Only Me" restrictions and comment on a private publication via a request with a modified val[item_id] parameter for the publication.
24 CVE-2013-7195 Bypass 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass intended "Only Me" restrictions and "like" a publication via a request that specifies the ID for the publication.
25 CVE-2013-6219 Bypass 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in HP HP-UX Whitelisting (aka WLI) before A.01.02.02 on HP-UX B.11.31 allows local users to bypass intended access restrictions via unknown vectors.
26 CVE-2013-6218 Exec Code 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.
27 CVE-2013-6215 Exec Code 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.
28 CVE-2013-6214 +Info 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.
29 CVE-2013-6213 Exec Code 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.
30 CVE-2013-6212 +Info 2014-04-19 2014-04-19
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.
31 CVE-2013-4869 255 2013-07-18 2013-08-22
0.0
None Remote Low Not required None None None
Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) and the IM & Presence Service in Cisco Unified Presence Server through 9.1(2) use the same CTI and database-encryption key across different customers' installations, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key, aka Bug IDs CSCsc69187 and CSCui01756. NOTE: the vendor has provided a statement that the "hard-coded static encryption key is considered a hardening issue rather than a vulnerability, and as such, has a CVSS score of 0/0."
32 CVE-2013-4290 Overflow 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
Stack-based buffer overflow in OpenJPEG before 1.5.2] allows remote attackers to have unspecified impact via unknown vectors to (1) lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, and (3) lib/openjp3d/event.c.
33 CVE-2013-4289 Overflow 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2 allow remote attackers to have unspeicified impact and vectors, which trigger a heap-based buffer overflow.
34 CVE-2013-4279 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.
35 CVE-2013-2493 DoS 2013-03-07 2013-03-07
0.0
None ??? ??? ??? ??? ??? ???
The Hook_Terminate function in chrome_frame/protocol_sink_wrap.cc in the Google Chrome Frame plugin before 26.0.1410.28 for Internet Explorer does not properly handle attach tab requests, which allows user-assisted remote attackers to cause a denial of service (application crash) via an _blank value for the target attribute of an A element.
36 CVE-2013-1622 2013-02-08 2013-02-08
0.0
None ??? ??? ??? ??? ??? ???
The SSL module in PolarSSL before 1.2.5, when TLS alert messages for decryption errors are enabled, omits a required MAC check during the processing of malformed CBC data in a TLS session, which allows remote attackers to conduct distinguishing attacks via statistical analysis of timing side-channel data for crafted packets, a different vulnerability than CVE-2013-0169.
37 CVE-2013-1154 DoS 2013-03-07 2013-03-07
0.0
None ??? ??? ??? ??? ??? ???
The Cisco Small Business 200 Series Smart Switch 1.2.7.76 and earlier, Small Business 300 Series Managed Switch 1.2.7.76 and earlier, and Small Business 500 Series Stackable Managed Switch 1.2.7.76 and earlier allow remote attackers to cause a denial of service (SSL/TLS layer outage) via malformed (1) SSH or (2) SSL packets, aka Bug ID CSCua30246.
38 CVE-2013-1153 CSRF 2013-03-07 2013-03-07
0.0
None ??? ??? ??? ??? ??? ???
Cross-site request forgery (CSRF) vulnerability in the web interface in Cisco Prime Infrastructure allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCue84676.
39 CVE-2012-6646 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.
40 CVE-2012-5085 2012-10-16 2013-11-02
0.0
None Remote Medium Single system None None None
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote authenticated users to have an unspecified impact via unknown vectors related to Networking. NOTE: the Oracle CPU states that this issue has a 0.0 CVSS score. If so, then this is not a vulnerability and this issue should not be included in CVE.
41 CVE-2012-0871 2014-04-18 2014-04-18
0.0
None ??? ??? ??? ??? ??? ???
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.
42 CVE-2012-0547 2012-08-30 2013-10-30
0.0
None Remote Low Not required None None None
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "toolkit internals references."
43 CVE-2009-0671 Exec Code 2009-02-22 2009-02-26
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** Format string vulnerability in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit imap-2007d and other applications, allows remote attackers to execute arbitrary code via format string specifiers in the initial request to the IMAP port (143/tcp). NOTE: Red Hat has disputed the vulnerability, stating "The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional." CVE agrees that the exploit contains syntax errors and uses Unix-only include files while invoking Windows functions.
44 CVE-2009-0242 DoS 2009-01-21 2009-02-05
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** gmetad in Ganglia 3.1.1, when supporting multiple requests per connection on an interactive port, allows remote attackers to cause a denial of service via a request to the gmetad service with a path does not exist, which causes Ganglia to (1) perform excessive CPU computation and (2) send the entire tree, which consumes network bandwidth. NOTE: the vendor and original researcher have disputed this issue, since legitimate requests can generate the same amount of resource consumption. CVE concurs with the dispute, so this identifier should not be used.
45 CVE-2008-6049 Exec Code Sql 2009-02-04 2009-03-21
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** SQL injection vulnerability in index.php in TinyMCE 2.0.1 allows remote attackers to execute arbitrary SQL commands via the menuID parameter. NOTE: CVE and multiple reliable third parties dispute this issue, since TinyMCE does not contain index.php or any PHP code. This may be an issue in a product that has integrated TinyMCE.
46 CVE-2007-5908 DoS Exec Code Overflow 2007-11-09 2008-09-10
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** Buffer overflow in the (1) sysfs_show_available_clocksources and (2) sysfs_show_current_clocksources functions in Linux kernel 2.6.23 and earlier might allow local users to cause a denial of service or execute arbitrary code via crafted clock source names. NOTE: follow-on analysis by Linux developers states that "There is no way for unprivileged users (or really even the root user) to add new clocksources."
47 CVE-2007-5421 Exec Code Overflow 2007-10-12 2008-09-10
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** Multiple stack-based buffer overflows in Cisco IOS 12.x and IOS XR allow attackers to execute arbitrary code, as demonstrated via the "Bind Shell", "Reverse Shell", and "Two byte rootshell (Tiny Shell)" attacks. NOTE: the vendor and researcher agree that this issue does not cross privilege boundaries, saying they do not "represent a vulnerability." The disclosure was intended to demonstrate techniques for exploitation, which is not covered by CVE.
48 CVE-2007-4044 2007-07-27 2008-09-10
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** The MS-RPC functionality in smbd in Samba 3 on SUSE Linux before 20070720 does not include "one character in the shell escape handling." NOTE: this issue was originally characterized as a shell metacharacter issue due to an incomplete fix for CVE-2007-2447, which was interpreted by CVE to be security relevant. However, SUSE and Red Hat have disputed the problem, stating that the only impact is that scripts will not be executed if they have a "c" in their name, but even this limitation might not exist. This does not have security implications, so should not be included in CVE.
49 CVE-2007-2056 2007-04-30 2008-09-10
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** The getlock function in aimage/aimage.cpp in AFFLIB 2.2.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary lock files (aka "time-of-check-time-of-use file race"). NOTE: the researcher has retracted the original advisory, stating that "the portion of vulnerable code is not called in any current version of AFFLIB and is therefore not exploitable."
50 CVE-2006-4854 Exec Code 2006-09-19 2008-09-10
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** Unspecified vulnerability in Microsoft Office 2000 (Chinese Edition) and Microsoft PowerPoint 2000 (Chinese Edition) allows user-assisted attackers to execute arbitrary code via a crafted PPT document, as exploited by malware such as Trojan.PPDropper.E. NOTE: on 20060919, Microsoft notified CVE that this is a duplicate of CVE-2006-0009.
Total number of vulnerabilities : 71   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.