CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-2690 264 2014-04-15 2014-04-16
2.1
None Local Low Not required Partial None None
Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows local users to obtain administrator credentials by reading the log.
2 CVE-2014-2573 264 DoS Bypass 2014-03-25 2014-03-26
2.3
None Local Network Medium Single system None None Partial
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image.
3 CVE-2014-2568 399 +Info 2014-03-24 2014-04-01
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced.
4 CVE-2014-2466 2014-04-15 2014-04-16
2.1
None Remote High Single system Partial None None
Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.
5 CVE-2014-2432 2014-04-15 2014-04-16
2.8
None Remote Medium Multiple systems None None Partial
Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated.
6 CVE-2014-2431 2014-04-15 2014-04-16
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options.
7 CVE-2014-2420 2014-04-15 2014-04-16
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Deployment.
8 CVE-2014-2333 79 XSS 2014-04-11 2014-04-14
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Lazyest Gallery plugin before 1.1.21 for WordPress allows remote attackers to inject arbitrary web script or HTML via an EXIF tag. NOTE: some of these details are obtained from third party information.
9 CVE-2014-2040 79 XSS 2014-03-03 2014-03-07
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer plugin 1.7.0 for WordPress allow remote authenticated users with permissions to add media or edit media to inject arbitrary web script or HTML via unspecified parameters, as demonstrated by the title of an uploaded file.
10 CVE-2014-1948 255 +Info 2014-02-14 2014-03-08
2.6
None Local High Not required Partial Partial None
OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.
11 CVE-2014-1826 79 XSS 2014-03-26 2014-03-26
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the iThoughtsHD app 4.19 for iOS on iPad devices, when the WiFi Transfer feature is used, allows remote attackers to inject arbitrary web script or HTML via a crafted map name.
12 CVE-2014-1690 119 Overflow +Info 2014-02-28 2014-03-16
2.6
None Remote High Not required Partial None None
The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature.
13 CVE-2014-1604 2014-01-27 2014-01-28
2.1
None Local Low Not required None Partial None
The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.
14 CVE-2014-1504 264 XSS 2014-03-19 2014-04-01
2.6
None Remote High Not required None Partial None
The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart.
15 CVE-2014-1445 399 +Info 2014-01-18 2014-03-16
2.1
None Local Low Not required Partial None None
The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call.
16 CVE-2014-1279 264 +Info 2014-03-14 2014-03-14
2.1
None Local Low Not required Partial None None
Apple TV before 6.1 does not properly restrict logging, which allows local users to obtain sensitive information by reading log data.
17 CVE-2014-1274 200 +Info 2014-03-14 2014-03-14
2.1
None Local Low Not required Partial None None
FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call.
18 CVE-2014-1234 200 +Info 2014-01-10 2014-01-10
2.1
None Local Low Not required Partial None None
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
19 CVE-2014-1233 200 +Info 2014-01-10 2014-01-10
2.1
None Local Low Not required Partial None None
The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.
20 CVE-2014-0979 DoS 2014-01-22 2014-02-21
2.1
None Local Low Not required None None Partial
The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+ Greeter before 1.7.1 does not properly handle the return value from the lightdm_greeter_get_authentication_user function, which allows local users to cause a denial of service (NULL pointer dereference) via an empty username.
21 CVE-2014-0647 255 2014-01-27 2014-02-24
2.1
None Local Low Not required Partial None None
The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.
22 CVE-2014-0624 +Priv Bypass 2014-03-06 2014-03-07
2.7
None Local Network Low Single system Partial None None
EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properly manage sessions, which allows remote authenticated users to gain privileges and bypass intended content-reading restrictions via unspecified vectors.
23 CVE-2014-0591 119 DoS Overflow 2014-01-13 2014-02-21
2.6
None Remote High Not required None None Partial
The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature.
24 CVE-2014-0430 2014-01-15 2014-02-06
2.8
None Remote Medium Multiple systems None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
25 CVE-2014-0420 2014-01-15 2014-03-05
2.8
None Remote Medium Multiple systems None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication.
26 CVE-2014-0406 2014-01-15 2014-03-26
2.4
None Local High Single system None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0404.
27 CVE-2014-0404 2014-01-15 2014-03-26
2.4
None Local High Single system None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0406.
28 CVE-2014-0381 2014-01-15 2014-02-06
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology, a different vulnerability than CVE-2014-0445.
29 CVE-2014-0370 2014-01-15 2014-02-06
2.8
None Remote Medium Multiple systems None None Partial
Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Clinical Trip Report.
30 CVE-2014-0131 399 +Info 2014-03-24 2014-03-25
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.
31 CVE-2014-0085 255 +Info 2014-04-17 2014-04-17
2.1
None Local Low Not required Partial None None
Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
32 CVE-2014-0046 79 XSS 2014-02-27 2014-03-05
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.
33 CVE-2013-7128 310 +Info 2013-12-17 2013-12-18
2.1
None Local Low Not required Partial None None
Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valve SteamOS Beta stores cleartext credentials in a .valve-bugreporter.cfg file upon a Remember Credentials action, which allows local users to obtain sensitive information by reading this file.
34 CVE-2013-7127 310 +Info 2013-12-17 2014-01-03
2.1
None Local Low Not required Partial None None
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file.
35 CVE-2013-7078 79 XSS 2014-01-19 2014-01-21
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. NOTE: this might be the same vulnerability as CVE-2013-7072.
36 CVE-2013-6986 310 Bypass +Info 2013-12-12 2013-12-19
2.1
None Local Low Not required Partial None None
The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in SQLite cache databases, which allows attackers to obtain sensitive information by reading data elements, as demonstrated by password elements.
37 CVE-2013-6956 79 XSS 2013-12-13 2014-01-03
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Secure Access Service Web rewriting feature in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r17, 7.3 before 7.3r8, 7.4 before 7.4r6, and 8.0 before 8.0r1, when web rewrite is enabled, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
38 CVE-2013-6493 200 +Info 2014-03-03 2014-03-16
2.1
None Local Low Not required Partial None None
The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp.
39 CVE-2013-6480 200 +Info 2014-01-07 2014-03-05
2.1
None Local Low Not required Partial None None
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
40 CVE-2013-6436 264 DoS 2014-01-07 2014-03-05
2.1
None Local Low Not required None None Partial
The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command.
41 CVE-2013-6402 59 2014-01-05 2014-03-05
2.1
None Local Low Not required None Partial None
base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file.
42 CVE-2013-6398 264 Bypass 2014-01-15 2014-02-25
2.8
None Remote Medium Multiple systems Partial None None
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request.
43 CVE-2013-6394 310 2013-12-13 2014-03-05
2.1
None Local Low Not required None Partial None
Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.
44 CVE-2013-6387 79 XSS 2013-12-24 2014-01-03
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.
45 CVE-2013-6216 +Priv 2014-04-12 2014-04-14
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in HP Array Configuration Utility, Array Diagnostics Utility, ProLiant Array Diagnostics, and SmartSSD Wear Gauge Utility 9.40 and earlier allows local users to gain privileges via unknown vectors.
46 CVE-2013-6181 310 +Info 2013-12-27 2014-01-07
2.1
None Local Low Not required Partial None None
EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.
47 CVE-2013-5964 79 XSS 2013-09-30 2013-10-10
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title.
48 CVE-2013-5951 79 XSS 2014-03-25 2014-03-25
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer 2.1.3, when used as a component for Joomla!, allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) application.js.php in scripts/ or (2) admin.php, (3) copy_move.php, (4) functions.php, (5) header.php, or (6) upload.php in include/.
49 CVE-2013-5908 2014-01-15 2014-03-05
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.
50 CVE-2013-5875 2014-01-15 2014-02-06
2.7
None Local Medium Multiple systems None Partial Partial
Unspecified vulnerability in Oracle Solaris 11.1 allows local users to affect integrity and availability via vectors related to Role Based Access Control (RBAC).
Total number of vulnerabilities : 2599   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.