CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1651 CVE-2015-0170 200 +Info 2015-05-25 2015-05-26
2.1
None Local Low Not required Partial None None
IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows local users to obtain sensitive information by reading cached data.
1652 CVE-2015-0146 264 Bypass +Info 2015-03-18 2015-03-18
2.1
None Local Low Not required Partial None None
IBM Content Collector for Email 3.0 before 3.0.0.6-IBM-ICC-Server-IF001 and 4.0 before 4.0.0.3-IBM-ICC-Server-IF001 does not properly handle an unspecified query operator during searches of IBM FileNet P8 systems with IBM Content Search Services, which allows local users to bypass intended document-access restrictions and obtain sensitive information via a crafted search query.
1653 CVE-2015-0136 200 +Info 2015-03-23 2015-03-24
2.1
None Local Low Not required Partial None None
powervc-iso-import in IBM PowerVC 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 places an access token on the command line during IVM and PowerKVM management, which allows local users to obtain sensitive information by listing the process.
1654 CVE-2015-0094 200 Bypass +Info 2015-03-11 2019-05-14
2.1
None Local Low Not required Partial None None
The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly restrict the availability of address information during a function call, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability."
1655 CVE-2015-0084 254 Bypass 2015-03-11 2019-05-14
2.1
None Local Low Not required None Partial None
The Task Scheduler in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly constrain impersonation levels, which allows local users to bypass intended restrictions on launching executable files via a crafted task, aka "Task Scheduler Security Feature Bypass Vulnerability."
1656 CVE-2015-0077 200 Bypass +Info 2015-03-11 2019-05-14
2.1
None Local Low Not required Partial None None
The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize function buffers, which allows local users to obtain sensitive information from kernel memory, and possibly bypass the ASLR protection mechanism, via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability."
1657 CVE-2014-9913 119 DoS Overflow 2017-01-18 2017-01-20
2.1
None Local Low Not required None None Partial
Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.
1658 CVE-2014-9903 200 +Info 2016-06-27 2016-11-28
2.1
None Local Low Not required Partial None None
The sched_read_attr function in kernel/sched/core.c in the Linux kernel 3.14-rc before 3.14-rc4 uses an incorrect size, which allows local users to obtain sensitive information from kernel stack memory via a crafted sched_getattr system call.
1659 CVE-2014-9770 264 +Info 2016-04-20 2018-10-30
2.1
None Local Low Not required Partial None None
tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions for journal files under (1) /run/log/journal/%m and (2) /var/log/journal/%m, which allows local users to obtain sensitive information by reading these files.
1660 CVE-2014-9740 79 XSS 2015-07-06 2015-07-08
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Rules Link module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer rules links" permission to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the (1) question and (2) description strings in a confirmation form for a triggering Rules link.
1661 CVE-2014-9731 17 +Info 2015-08-31 2017-07-12
2.1
None Local Low Not required Partial None None
The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c.
1662 CVE-2014-9680 200 +Info 2017-04-24 2018-01-04
2.1
None Local Low Not required Partial None None
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
1663 CVE-2014-9645 20 Bypass 2017-03-12 2019-04-03
2.1
None Local Low Not required None Partial None
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
1664 CVE-2014-9644 264 2015-03-02 2018-01-04
2.1
None Local Low Not required None Partial None
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.
1665 CVE-2014-9585 264 Bypass 2015-01-09 2018-01-04
2.1
None Local Low Not required None Partial None
The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.
1666 CVE-2014-9584 20 +Info 2015-01-09 2018-01-04
2.1
None Local Low Not required Partial None None
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.
1667 CVE-2014-9568 200 +Info 2015-02-03 2015-02-17
2.1
None Local Low Not required Partial None None
puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive information as demonstrated by using Facter.
1668 CVE-2014-9507 79 XSS 2015-01-04 2015-01-13
2.6
None Remote High Not required None Partial None
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.
1669 CVE-2014-9478 79 XSS 2015-01-16 2015-01-20
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page.
1670 CVE-2014-9433 79 XSS 2014-12-31 2018-10-09
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter.
1671 CVE-2014-9419 200 Bypass +Info 2014-12-25 2018-01-04
2.1
None Local Low Not required Partial None None
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
1672 CVE-2014-9418 119 DoS Overflow 2014-12-24 2014-12-29
2.1
None Local Low Not required None None Partial
The eSpace Meeting ActiveX control (eSpaceStatusCtrl.dll) in Huawei eSpace Desktop before V200R001C03 allows local users to cause a denial of service (memory overflow) via unspecified vectors.
1673 CVE-2014-9417 20 DoS 2014-12-24 2014-12-29
2.1
None Local Low Not required None None Partial
The Meeting component in Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted image.
1674 CVE-2014-9269 79 XSS 2015-01-09 2017-01-02
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
1675 CVE-2014-9252 200 +Info 2014-12-15 2016-03-21
2.1
None Local Low Not required Partial None None
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416.
1676 CVE-2014-9191 399 DoS 2015-01-09 2016-12-07
2.1
None Local Low Not required None None Partial
The CodeWrights HART Device Type Manager (DTM) library in Emerson HART DTM before 1.4.181 allows physically proximate attackers to cause a denial of service (DTM outage and FDT Frame application hang) by transmitting crafted response packets on the 4-20 mA current loop.
1677 CVE-2014-8991 264 DoS 2014-11-24 2016-11-22
2.1
None Local Low Not required None None Partial
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.
1678 CVE-2014-8889 200 +Info 2017-09-25 2018-10-09
2.6
None Remote High Not required Partial None None
Dropbox SDK for Android before 1.6.2 might allow remote attackers to obtain sensitive information via crafted malware or via a drive-by download attack.
1679 CVE-2014-8834 200 +Info 2015-01-30 2017-09-07
2.1
None Local Low Not required Partial None None
UserAccountUpdater in Apple OS X 10.10 before 10.10.2 stores a PDF document's password in a printing preference file, which allows local users to obtain sensitive information by reading a file.
1680 CVE-2014-8833 284 2015-01-30 2017-09-07
2.1
None Local Low Not required Partial None None
SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via a Spotlight query.
1681 CVE-2014-8827 284 +Info 2015-01-30 2017-09-07
2.1
None Local Low Not required Partial None None
LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the screen.
1682 CVE-2014-8733 200 +Info 2015-02-10 2015-02-11
2.1
None Local Low Not required Partial None None
Cloudera Manager 5.2.0, 5.2.1, and 5.3.0 stores the LDAP bind password in plaintext in unspecified world-readable files under /etc/hadoop, which allows local users to obtain this password.
1683 CVE-2014-8716 125 DoS 2017-04-11 2017-04-17
2.1
None Local Low Not required None None Partial
The JPEG decoder in ImageMagick before 6.8.9-9 allows local users to cause a denial of service (out-of-bounds memory access and crash).
1684 CVE-2014-8607 200 +Info 2015-06-10 2015-06-11
2.1
None Local Low Not required Partial None None
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command.
1685 CVE-2014-8537 200 +Info 2014-10-29 2017-09-07
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading the logs.
1686 CVE-2014-8536 200 +Info 2014-10-29 2017-09-07
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages.
1687 CVE-2014-8534 DoS 2014-10-29 2014-10-30
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the login form in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to cause a denial of service via a crafted value in the domain field.
1688 CVE-2014-8529 310 +Info 2014-10-29 2014-10-30
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH key in cleartext, which allows local users to obtain sensitive information via unspecified vectors.
1689 CVE-2014-8528 200 +Info 2014-10-29 2014-10-30
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs, which allows local users to obtain sensitive information by reading the audit log.
1690 CVE-2014-8526 200 +Info 2014-10-29 2014-10-30
2.1
None Local Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information by reading a Java stack trace.
1691 CVE-2014-8519 2014-10-29 2014-10-30
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to read arbitrary files via unknown vectors.
1692 CVE-2014-8518 255 2014-10-29 2014-11-18
2.1
None Local Low Not required Partial None None
The (1) Removable Media and (2) CD and DVD encryption offsite access options (formerly Endpoint Encryption for Removable Media or EERM) in McAfee File and Removable Media Protection (FRP) 4.3.0.x, and Endpoint Encryption for Files and Folders (EEFF) 3.2.x through 4.2.x, uses a hard-coded salt, which makes it easier for local users to obtain passwords via a brute force attack.
1693 CVE-2014-8476 200 +Info 2014-11-13 2014-11-14
2.1
None Local Low Not required Partial None None
The setlogin function in FreeBSD 8.4 through 10.1-RC4 does not initialize the buffer used to store the login name, which allows local users to obtain sensitive information from kernel memory via a call to getlogin, which returns the entire buffer.
1694 CVE-2014-8399 DoS 2014-10-31 2014-11-03
2.1
None Local Low Not required None None Partial
The default configuration in systemd-shim 8 enables the Abandon debugging clause, which allows local users to cause a denial of service via unspecified vectors.
1695 CVE-2014-8335 255 +Info 2018-01-05 2018-01-19
2.1
None Local Low Not required Partial None None
(1) wp-dbmanager.php and (2) database-manage.php in the WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
1696 CVE-2014-8180 287 DoS Bypass 2017-06-06 2017-06-14
2.1
None Local Low Not required None None Partial
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.
1697 CVE-2014-8136 264 DoS 2014-12-19 2018-10-30
2.1
None Local Low Not required None None Partial
The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors.
1698 CVE-2014-8135 DoS 2014-12-19 2015-01-09
2.1
None Local Low Not required None None Partial
The storageVolUpload function in storage/storage_driver.c in libvirt before 1.2.11 does not check a certain return value, which allows local users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted offset value in a "virsh vol-upload" command.
1699 CVE-2014-8134 264 Bypass 2014-12-12 2017-01-02
2.1
None Local Low Not required Partial None None
The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.
1700 CVE-2014-8133 264 Bypass 2014-12-17 2016-12-23
2.1
None Local Low Not required None Partial None
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.
Total number of vulnerabilities : 4508   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 (This Page)35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.