CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2014(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-9419 200 Bypass +Info 2014-12-25 2018-01-04
2.1
None Local Low Not required Partial None None
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
2 CVE-2014-9304 264 Bypass 2014-12-07 2015-10-28
7.5
None Remote Low Not required Partial Partial Partial
Plex Media Server before 0.9.9.3 allows remote attackers to bypass the web server whitelist, conduct SSRF attacks, and execute arbitrary administrative actions via multiple crafted X-Plex-Url headers to system/proxy, which are inconsistently processed by the request handler in the backend web server.
3 CVE-2014-9278 287 Bypass 2014-12-06 2017-09-07
4.0
None Remote Low Single system None Partial None
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
4 CVE-2014-9217 287 Bypass 2014-12-08 2017-09-07
5.0
None Remote Low Not required None Partial None
Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.
5 CVE-2014-9184 287 Bypass 2014-12-02 2014-12-03
5.0
None Remote Low Not required None Partial None
ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi.
6 CVE-2014-9135 264 Bypass 2014-12-19 2017-09-07
4.3
None Remote Medium Not required None Partial None
The PackageInstaller module in Huawei P7-L10 smartphones before V100R001C00B136 allows remote attackers to spoof the origin website and bypass the website whitelist protection mechanism via a crafted package.
7 CVE-2014-9117 284 Bypass 2014-12-06 2017-09-07
5.0
None Remote Low Not required None Partial None
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.
8 CVE-2014-8773 352 Bypass CSRF 2014-12-03 2014-12-05
6.8
None Remote Medium Not required Partial Partial Partial
MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter.
9 CVE-2014-8632 284 Bypass 2014-12-11 2016-12-21
4.3
None Remote Medium Not required Partial None None
The structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object restrictions by leveraging property availability after XrayWrapper removal.
10 CVE-2014-8631 284 Bypass 2014-12-11 2016-12-21
4.3
None Remote Medium Not required Partial None None
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a call to an unspecified method.
11 CVE-2014-8453 264 Bypass 2014-12-10 2014-12-11
5.0
None Remote Low Not required None Partial None
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors.
12 CVE-2014-8134 264 Bypass 2014-12-12 2017-01-02
2.1
None Local Low Not required Partial None None
The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.
13 CVE-2014-8133 264 Bypass 2014-12-17 2016-12-23
2.1
None Local Low Not required None Partial None
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.
14 CVE-2014-8109 264 Bypass 2014-12-29 2016-12-30
4.3
None Remote Medium Not required None Partial None
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
15 CVE-2014-8006 287 Bypass 2014-12-16 2014-12-17
4.3
None Remote Medium Not required None Partial None
The Disaster Recovery (DRA) feature on the Cisco ISB8320-E High-Definition IP-Only DVR allows remote attackers to bypass authentication by establishing a TELNET session during a recovery boot, aka Bug ID CSCup85422.
16 CVE-2014-7879 287 Exec Code Bypass 2014-12-10 2019-10-09
8.5
None Remote Medium Single system Complete Complete Complete
HP HP-UX B.11.11, B.11.23, and B.11.31, when the PAM configuration includes libpam_updbe, allows remote authenticated users to bypass authentication, and consequently execute arbitrary code, via unspecified vectors.
17 CVE-2014-7809 352 Bypass CSRF 2014-12-10 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
18 CVE-2014-7807 287 Bypass 2014-12-10 2018-10-09
5.0
None Remote Low Not required None Partial None
Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind.
19 CVE-2014-6408 264 Bypass 2014-12-12 2014-12-15
5.0
None Remote Low Not required None Partial None
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.
20 CVE-2014-6368 20 Bypass 2014-12-10 2018-10-12
4.3
None Remote Medium Not required None Partial None
Microsoft Internet Explorer 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."
21 CVE-2014-6365 20 XSS Bypass 2014-12-10 2018-10-12
4.3
None Remote Medium Not required None Partial None
Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6328.
22 CVE-2014-6355 200 Bypass +Info 2014-12-10 2018-10-12
5.0
None Remote Low Not required Partial None None
The Graphics Component in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly process JPEG images, which makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Graphics Component Information Disclosure Vulnerability."
23 CVE-2014-6328 20 XSS Bypass 2014-12-10 2018-10-12
5.0
None Remote Low Not required None Partial None
Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6365.
24 CVE-2014-6257 264 Bypass 2014-12-15 2016-03-21
5.0
None Remote Low Not required None Partial None
Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions by using a web-endpoint URL to invoke an object helper method, aka ZEN-15407.
25 CVE-2014-6256 264 Bypass 2014-12-15 2016-03-21
7.5
None Remote Low Not required Partial Partial Partial
Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions and place files in a directory with public (1) read or (2) execute access via a move action, aka ZEN-15386.
26 CVE-2014-6186 264 Bypass 2014-12-24 2017-09-07
4.0
None Remote Low Single system None Partial None
IBM WebSphere Service Registry and Repository (WSRR) 6.3.x before 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x before 7.5.0.3, and 8.0.x before 8.0.0.1 allows remote authenticated users to bypass intended object-access restrictions via the datagraph.
27 CVE-2014-6160 264 Bypass 2014-12-28 2017-09-07
2.1
None Local Low Not required None Partial None
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.
28 CVE-2014-6138 200 Bypass +Info 2014-12-12 2017-09-07
4.0
None Remote Low Single system Partial None None
The IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows remote authenticated users to bypass intended grid-data access restrictions via unspecified vectors.
29 CVE-2014-4844 264 Bypass 2014-12-16 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
The import/export functionality in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 allows remote authenticated users to bypass intended access restrictions via a project action for a (1) process application or (2) toolkit.
30 CVE-2014-4631 287 Bypass 2014-12-08 2018-10-09
5.0
None Remote Low Not required None Partial None
RSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when using device binding in a Challenge SOAP call or using the RSA Adaptive Authentication Integration Adapters with Out-of-Band Phone (Authentify) functionality, conducts permanent device binding even when authentication fails, which allows remote attackers to bypass authentication.
31 CVE-2014-4465 20 Bypass 2014-12-10 2015-02-09
5.0
None Remote Low Not required None Partial None
WebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1 allows remote attackers to bypass the Same Origin Policy via crafted Cascading Style Sheets (CSS) token sequences within an SVG file in the SRC attribute of an IMG element.
32 CVE-2014-3703 264 Bypass 2014-12-01 2014-12-05
5.0
None Remote Low Not required None Partial None
OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS) monolithic plug-in is not used, does not properly set the libvirt_vif_driver configuration option when generating the nova.conf configuration, which causes the firewall to be disabled and allows remote attackers to bypass intended access restrictions.
33 CVE-2014-2224 254 Bypass 2014-12-29 2014-12-30
5.0
None Remote Low Not required None Partial None
Plogger 1.0 RC1 and earlier, when the Lucid theme is used, does not assign new values for certain codes, which makes it easier for remote attackers to bypass the CAPTCHA protection mechanism via a series of form submissions.
34 CVE-2014-2209 264 Bypass 2014-12-28 2014-12-30
5.0
None Remote Low Not required None Partial None
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.
35 CVE-2014-1589 284 Bypass 2014-12-11 2016-12-21
6.8
None Remote Medium Not required Partial Partial Partial
Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding.
36 CVE-2014-0580 264 Bypass 2014-12-10 2018-12-13
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
Total number of vulnerabilities : 36   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.