CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-200

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-9361 200 +Priv +Info 2014-12-10 2014-12-11
4.3
None Remote Medium Not required Partial None None
The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.
2 CVE-2014-9303 200 +Info 2014-12-07 2014-12-08
7.8
None Remote Low Not required Complete None None
EntryPass N5200 Active Network Control Panel allows remote attackers to read device memory and obtain the administrator username and password via a URL starting with an ASCII character o through z or A through D, different vectors than CVE-2014-8868.
3 CVE-2014-9279 200 +Info 2014-12-08 2014-12-09
5.0
None Remote Low Not required Partial None None
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.
4 CVE-2014-9252 200 +Info 2014-12-15 2014-12-16
2.1
None Local Low Not required Partial None None
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416.
5 CVE-2014-9250 200 +Info 2014-12-15 2014-12-16
5.0
None Remote Low Not required Partial None None
Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418.
6 CVE-2014-9247 200 +Info 2014-12-15 2014-12-16
4.0
None Remote Low Single system Partial None None
Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389.
7 CVE-2014-9245 200 +Info 2014-12-15 2014-12-16
5.0
None Remote Low Not required Partial None None
Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382.
8 CVE-2014-9177 200 +Info 2014-12-02 2014-12-02
5.0
None Remote Low Not required Partial None None
The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php.
9 CVE-2014-9162 200 +Info 2014-12-10 2014-12-11
5.0
None Remote Low Not required Partial None None
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors.
10 CVE-2014-9156 200 +Info 2014-12-01 2014-12-01
4.0
None Remote Low Single system Partial None None
The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file.
11 CVE-2014-9154 200 +Info 2014-12-01 2014-12-05
4.0
None Remote Low Single system Partial None None
The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.
12 CVE-2014-9025 200 +Info 2014-11-20 2014-11-21
5.0
None Remote Low Not required Partial None None
The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.
13 CVE-2014-9018 200 +Info 2014-12-03 2014-12-17
5.0
None Remote Low Not required Partial None None
Icecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors.
14 CVE-2014-8874 200 +Info 2014-12-02 2014-12-03
5.0
None Remote Low Not required Partial None None
The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request.
15 CVE-2014-8788 200 +Info 2014-12-02 2014-12-05
4.0
None Remote Low Single system Partial None None
GleamTech FileVista before 6.1 allows remote authenticated users to obtain sensitive information via a crafted path when saving a zip file, which reveals the installation path in an error message.
16 CVE-2014-8775 200 +Info 2014-12-03 2014-12-05
5.0
None Remote Low Not required Partial None None
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
17 CVE-2014-8762 200 +Info 2014-10-22 2014-11-13
5.0
None Remote Low Not required Partial None None
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.
18 CVE-2014-8761 200 +Info 2014-10-22 2014-11-13
5.0
None Remote Low Not required Partial None None
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.
19 CVE-2014-8736 200 Bypass +Info 2014-11-12 2014-11-13
5.0
None Remote Low Not required Partial None None
The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node.
20 CVE-2014-8735 200 +Info 2014-11-12 2014-11-13
4.0
None Remote Low Single system Partial None None
The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7.x-2.2216 for Drupal logs usernames and passwords, which allows remote authenticated users with the "administer bad behavior" permission to obtain sensitive information by reading a log file.
21 CVE-2014-8709 200 +Info 2014-11-10 2014-11-20
5.0
None Remote Low Not required Partial None None
The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.
22 CVE-2014-8678 200 +Info 2014-11-25 2014-11-26
7.8
None Remote Low Not required Complete None None
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile."
23 CVE-2014-8666 200 +Info 2014-11-06 2014-11-06
5.0
None Remote Low Not required Partial None None
The User & Server configuration, InfoView refresh, user rights (BI-BIP-ADM) component in SAP Business Intellignece allows remote attackers to obtain audit event details via unspecified vectors.
24 CVE-2014-8665 200 +Info 2014-11-06 2014-11-06
5.0
None Remote Low Not required Partial None None
The SAP Business Intelligence Development Workbench allows remote attackers to obtain sensitive information by reading unspecified files.
25 CVE-2014-8566 200 DoS Overflow +Info 2014-11-15 2014-11-20
6.4
None Remote Low Not required Partial None Partial
The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory."
26 CVE-2014-8553 200 +Info 2014-12-17 2014-12-18
5.0
None Remote Low Not required Partial None None
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.
27 CVE-2014-8552 200 +Info 2014-11-26 2014-11-26
5.0
None Remote Low Not required Partial None None
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.
28 CVE-2014-8537 200 +Info 2014-10-29 2014-11-13
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading the logs.
29 CVE-2014-8536 200 +Info 2014-10-29 2014-11-13
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages.
30 CVE-2014-8528 200 +Info 2014-10-29 2014-10-30
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs, which allows local users to obtain sensitive information by reading the audit log.
31 CVE-2014-8526 200 +Info 2014-10-29 2014-10-30
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information by reading a Java stack trace.
32 CVE-2014-8525 200 +Info 2014-10-29 2014-11-13
5.0
None Remote Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
33 CVE-2014-8524 200 +Info 2014-10-29 2014-10-30
5.0
None Remote Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable the autocomplete setting for the password and other fields, which allows remote attackers to obtain sensitive information via unspecified vectors.
34 CVE-2014-8520 200 +Info 2014-10-29 2014-11-13
5.0
None Remote Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information via vectors related to open network ports.
35 CVE-2014-8476 200 +Info 2014-11-13 2014-11-14
2.1
None Local Low Not required Partial None None
The setlogin function in FreeBSD 8.4 through 10.1-RC4 does not initialize the buffer used to store the login name, which allows local users to obtain sensitive information from kernel memory via a call to getlogin, which returns the entire buffer.
36 CVE-2014-8452 200 +Info 2014-12-10 2014-12-11
5.0
None Remote Low Not required Partial None None
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
37 CVE-2014-8451 200 +Info 2014-12-10 2014-12-11
5.0
None Remote Low Not required Partial None None
An unspecified JavaScript API in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2014-8448.
38 CVE-2014-8448 200 +Info 2014-12-10 2014-12-11
5.0
None Remote Low Not required Partial None None
An unspecified JavaScript API in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2014-8451.
39 CVE-2014-8437 200 +Info 2014-11-11 2014-11-12
5.0
None Remote Low Not required Partial None None
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow remote attackers to discover session tokens via unspecified vectors.
40 CVE-2014-8425 200 +Info 2014-11-28 2014-11-28
7.8
None Remote Low Not required Complete None None
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.
41 CVE-2014-8372 200 +Info 2014-12-11 2014-12-12
4.0
None Remote Low Single system Partial None None
AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 (FP3) allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference.
42 CVE-2014-8315 200 +Info 2014-10-16 2014-10-21
5.0
None Remote Low Not required Partial None None
polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter.
43 CVE-2014-8309 200 +Info 2014-10-16 2014-10-23
5.0
None Remote Low Not required Partial None None
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
44 CVE-2014-8244 200 +Info 2014-11-01 2014-11-03
7.5
None Remote Low Not required Partial Partial Partial
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request.
45 CVE-2014-8082 200 +Info 2014-10-31 2014-11-03
5.0
None Remote Low Not required Partial None None
lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message.
46 CVE-2014-8068 200 +Info 2014-10-09 2014-10-31
5.0
None Remote Low Not required Partial None None
Adobe Digital Editions (DE) 4 does not use encryption for transmission of data to adelogs.adobe.com, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by book-navigation information.
47 CVE-2014-7992 200 +Info 2014-11-17 2014-11-18
5.0
None Remote Low Not required Partial None None
The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensitive credential information from process memory via a session on TCP port 2067, aka Bug ID CSCur14014.
48 CVE-2014-7988 200 +Info 2014-11-07 2014-12-02
4.0
None Remote Low Single system Partial None None
The Unified Messaging Service (UMS) in Cisco Unity Connection 10.5 and earlier allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCur06493.
49 CVE-2014-7848 200 +Info 2014-11-24 2014-11-24
5.0
None Remote Low Not required Partial None None
lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.
50 CVE-2014-7833 200 +Info 2014-11-24 2014-11-24
4.0
None Remote Low Single system Partial None None
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.
Total number of vulnerabilities : 1761   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.