CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
451 CVE-2013-3487 79 XSS 2014-03-03 2017-08-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php.
452 CVE-2013-3481 119 Exec Code Overflow 2014-03-27 2017-08-28
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Artweaver Plus and Free before 3.1.5 allows remote attackers to execute arbitrary code via a crafted JPG image file.
453 CVE-2013-3478 89 Exec Code Sql 2014-03-05 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Apptha WordPress Video Gallery 2.0, 1.6, and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the playid parameter to index.php.
454 CVE-2013-3260 119 Exec Code Overflow 2014-03-03 2017-08-28
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in INMATRIX Zoom Player before 8.7 beta 11 allows remote attackers to execute arbitrary code via a large biClrUsed value in a BMP file.
455 CVE-2013-3259 119 Exec Code Overflow 2014-03-03 2017-08-28
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in INMATRIX Zoom Player before 8.7 beta 11 allows remote attackers to execute arbitrary code via a large biClrUsed value in a BMP file.
456 CVE-2013-3249 119 Exec Code Overflow 2014-03-20 2017-08-28
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the "Add from text file" feature in the DameWare Exporter tool (DWExporter.exe) in DameWare Remote Support 10.0.0.372, 9.0.1.247, and earlier allows user-assisted attackers to execute arbitrary code via unspecified vectors.
457 CVE-2013-2754 352 1 CSRF 2014-03-11 2014-03-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS before 2.9 build 21905 allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via a request to admin/users/add/user/do/.
458 CVE-2013-2695 79 XSS 2014-03-28 2018-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in invite.php in the WP Symposium plugin before 13.04 for WordPress allows remote attackers to inject arbitrary web script or HTML via the u parameter.
459 CVE-2013-2694 20 2014-03-28 2018-10-30
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in invite.php in the WP Symposium plugin 13.04 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the u parameter.
460 CVE-2013-2671 79 XSS 2014-03-14 2017-08-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC-9970CDW printer with firmware L (1.10) allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) val parameter to admin/admin_main.html; (3) id, (4) val, or (5) arbitrary parameter name (QUERY_STRING) to admin/profile_settings_net.html; or (6) kind or (7) arbitrary parameter name (QUERY_STRING) to fax/general_setup.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2670.
461 CVE-2013-2670 79 XSS 2014-03-14 2017-08-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Brother MFC-9970CDW printer with firmware G (1.03) and L (1.10) allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter name (QUERY_STRING) to admin/admin_main.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2671.
462 CVE-2013-2643 79 XSS 2014-03-18 2014-03-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.
463 CVE-2013-2642 78 Exec Code 2014-03-18 2014-03-19
9.3
None Remote Medium Not required Complete Complete Complete
Sophos Web Appliance before 3.7.8.2 allows (1) remote attackers to execute arbitrary commands via shell metacharacters in the client-ip parameter to the Block page, when using the user_workstation variable in a customized template, and remote authenticated users to execute arbitrary commands via shell metacharacters in the (2) url parameter to the Diagnostic Tools functionality or (3) entries parameter to the Local Site List functionality.
464 CVE-2013-2641 22 Dir. Trav. 2014-03-18 2014-03-19
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter.
465 CVE-2013-2619 22 1 Dir. Trav. 2014-03-18 2017-08-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Aspen before 0.22 allows remote attackers to read arbitrary files via a .. (dot dot) to the default URI.
466 CVE-2013-2559 89 Exec Code Sql CSRF 2014-03-27 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.
467 CVE-2013-2507 79 XSS 2014-03-14 2017-08-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC-9970CDW printer with firmware G (1.03) allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/log_to_net.html or (2) kind parameter to fax/copy_settings.html, a different vulnerability than CVE-2013-2670 and CVE-2013-2671.
468 CVE-2013-2289 79 XSS 2014-03-11 2017-08-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/templates/default.php in Batavi 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to admin/index.php.
469 CVE-2013-2278 DoS Exec Code 2014-03-31 2014-04-01
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in War FTP Daemon (warftpd) 1.82, when running as a Windows service, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to log messages and the "internal log handler to the Windows Event log."
470 CVE-2013-2270 79 XSS 2014-03-09 2017-08-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the administration page in Airvana HubBub C1-600-RT and Sprint AIRAVE 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
471 CVE-2013-2150 79 XSS 2014-03-14 2014-03-25
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files.
472 CVE-2013-2149 79 XSS 2014-03-14 2018-12-06
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files.
473 CVE-2013-2089 Exec Code 2014-03-14 2014-03-17
4.6
None Remote High Single system Partial Partial Partial
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data.
474 CVE-2013-2086 200 +Info CSRF 2014-03-14 2014-03-17
5.0
None Remote Low Not required Partial None None
The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file.
475 CVE-2013-2085 22 Dir. Trav. 2014-03-14 2018-12-06
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter.
476 CVE-2013-2048 264 Exec Code CSRF 2014-03-14 2014-03-17
6.5
None Remote Low Single system Partial Partial Partial
ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands.
477 CVE-2013-2047 264 2014-03-14 2014-03-17
2.1
None Local Low Not required None Partial None
The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password.
478 CVE-2013-2046 89 Exec Code Sql 2014-03-09 2014-03-10
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
479 CVE-2013-2045 89 Exec Code Sql 2014-03-09 2014-03-10
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
480 CVE-2013-2044 20 2014-03-14 2014-03-17
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
481 CVE-2013-2043 264 2014-03-14 2014-03-17
4.0
None Remote Low Single system Partial None None
apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.
482 CVE-2013-2042 79 XSS 2014-03-14 2014-03-17
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark.php.
483 CVE-2013-2041 79 XSS 2014-03-14 2014-03-17
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tag parameter to apps/bookmarks/ajax/addBookmark.php or (2) dir parameter to apps/files/ajax/newfile.php, which is passed to apps/files/js/files.js.
484 CVE-2013-2040 79 XSS 2014-03-14 2014-03-17
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
485 CVE-2013-2039 22 Dir. Trav. 2014-03-14 2014-03-17
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.
486 CVE-2013-1963 264 2014-03-14 2014-03-17
4.0
None Remote Low Single system Partial None None
The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors.
487 CVE-2013-1939 20 2014-03-14 2018-12-06
5.0
None Remote Low Not required Partial None None
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.
488 CVE-2013-1893 89 Exec Code Sql 2014-03-09 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application.
489 CVE-2013-1890 79 XSS 2014-03-09 2017-08-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/.
490 CVE-2013-1851 2014-03-14 2014-03-25
3.5
None Remote Medium Single system None Partial None
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors.
491 CVE-2013-1850 94 Exec Code 2014-03-14 2014-03-25
6.5
None Remote Low Single system Partial Partial Partial
Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.
492 CVE-2013-1822 79 XSS 2014-03-14 2014-03-25
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.8 allow remote authenticated users with administrator privileges to inject arbitrary web script or HTML via the (1) quota parameter to /core/settings/ajax/setquota.php, or remote authenticated users with group admin privileges to inject arbitrary web script or HTML via the (2) group field to settings.php or (3) "share with" field.
493 CVE-2013-1759 79 XSS 2014-03-14 2017-08-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Responsive Logo Slideshow plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the "URL and Image" field.
494 CVE-2013-1758 79 XSS 2014-03-14 2014-03-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Marekkis Watermark plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pfad parameter to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information.
495 CVE-2013-1636 79 XSS 2014-03-12 2017-08-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter.
496 CVE-2013-1605 119 1 Exec Code Overflow 2014-03-25 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to execute arbitrary code via a long filename in a GET request.
497 CVE-2013-1604 22 1 Dir. Trav. 2014-03-25 2017-08-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.
498 CVE-2013-1409 79 XSS 2014-03-03 2014-03-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the CommentLuv plugin before 2.92.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _ajax_nonce parameter to wp-admin/admin-ajax.php.
499 CVE-2013-1408 89 Exec Code Sql CSRF 2014-03-24 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in the Wysija Newsletters plugin before 2.2.1 for WordPress allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search or (2) orderby parameter to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.
500 CVE-2013-1399 352 CSRF 2014-03-14 2019-07-10
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Total number of vulnerabilities : 538   Page : 1 2 3 4 5 6 7 8 9 10 (This Page)11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.