CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1701 CVE-2014-7954 22 Dir. Trav. 2017-07-07 2018-10-09
2.1
None Local Low Not required None Partial None
Directory traversal vulnerability in the doSendObjectInfo method in frameworks/av/media/mtp/MtpServer.cpp in Android 4.4.4 allows physically proximate attackers with a direct connection to the target Android device to upload files outside of the sdcard via a .. (dot dot) in a name parameter of an MTP request.
1702 CVE-2014-7835 79 XSS 2014-11-24 2015-09-03
2.1
None Remote High Single system None Partial None
webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.
1703 CVE-2014-7824 399 DoS 2014-11-18 2017-09-07
2.1
None Local Low Not required None None Partial
D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.
1704 CVE-2014-7231 200 +Info 2014-10-08 2018-11-16
2.1
None Local Low Not required Partial None None
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
1705 CVE-2014-7230 200 Exec Code +Info 2014-10-08 2018-11-16
2.1
None Local Low Not required Partial None None
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
1706 CVE-2014-6591 2015-01-21 2016-12-21
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585.
1707 CVE-2014-6585 2015-01-21 2016-12-21
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6591.
1708 CVE-2014-6558 2014-10-15 2017-01-02
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security.
1709 CVE-2014-6551 2014-10-15 2018-12-18
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality via vectors related to CLIENT:MYSQLADMIN.
1710 CVE-2014-6527 2014-10-15 2015-03-16
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476.
1711 CVE-2014-6502 2014-10-15 2015-03-17
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries.
1712 CVE-2014-6501 2014-10-15 2015-11-06
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality via vectors related to SSH.
1713 CVE-2014-6488 2014-10-15 2015-11-06
2.1
None Remote High Single system None Partial None
Unspecified vulnerability in the Enterprise Manager for Oracle Database component in Oracle Enterprise Manager Grid Control EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4 EM Plugin for DB: 12.1.0.4, 12.1.0.5, and 12.1.0.6 allows remote authenticated users to affect integrity via unknown vectors related to Content Management.
1714 CVE-2014-6381 20 DoS 2014-12-12 2014-12-16
2.9
None Local Network Medium Not required None None Partial
Juniper WLC devices with WLAN Software releases 8.0.x before 8.0.4, 9.0.x before 9.0.2.11, 9.0.3.x before 9.0.3.5, and 9.1.x before 9.1.1, when "Proxy ARP" or "No Broadcast" features are enabled in a clustered setup, allows remote attackers to cause a denial of service (device disconnect) via unspecified vectors.
1715 CVE-2014-6211 200 +Info 2015-05-19 2017-01-02
2.1
None Local Low Not required Partial None None
The command-line scripts in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 through 7.0.0.9, and 7.0 Feature Pack 2 through 8, when debugging is configured, do not properly restrict the logging of personal data, which allows local users to obtain sensitive information by reading a log file.
1716 CVE-2014-6160 264 Bypass 2014-12-28 2017-09-07
2.1
None Local Low Not required None Partial None
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.
1717 CVE-2014-6147 200 +Priv +Info 2015-02-18 2017-09-07
2.1
None Local Low Not required Partial None None
IBM Flex System Manager (FSM) 1.1.x.x, 1.2.0.x, 1.2.1.x, 1.3.0.0, 1.3.1.0, and 1.3.2.0 allows local users to obtain sensitive information, and consequently gain privileges or conduct impersonation attacks, via unspecified vectors.
1718 CVE-2014-6143 200 +Info 2014-12-11 2017-09-07
2.1
None Local Low Not required Partial None None
The IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows local users to obtain sensitive information by reading a response.
1719 CVE-2014-6133 +Info 2014-10-26 2017-09-07
2.1
None Local Low Not required Partial None None
IBM API Management 3.x before 3.0.1.0 allows local users to obtain sensitive ciphertext information via unspecified vectors.
1720 CVE-2014-6123 200 +Info 2014-12-28 2017-09-07
2.1
None Local Low Not required Partial None None
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.
1721 CVE-2014-6111 255 2018-04-20 2018-05-22
2.1
None Local Low Not required Partial None None
IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and Security Identity Manager 6.0.x before 6.0.0.4-ISS-SIM-IF0001 and 7.0.x before 7.0.0.0-ISS-SIM-IF0003 store encrypted user credentials and the keystore password in cleartext in configuration files, which allows local users to decrypt SIM credentials via unspecified vectors. IBM X-Force ID: 96180.
1722 CVE-2014-6110 284 2014-11-17 2017-09-07
2.1
None Local Low Not required None Partial None
IBM Security Identity Manager 6.x before 6.0.0.3 IF14 does not properly perform logout actions, which allows remote attackers to access sessions by leveraging an unattended workstation.
1723 CVE-2014-6102 264 Bypass 2015-02-16 2017-09-07
2.1
None Local Low Not required None Partial None
IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX008, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly handle logout actions, which allows remote attackers to bypass intended Cognos BI Direct Integration access restrictions by leveraging an unattended workstation.
1724 CVE-2014-5457 264 2014-08-25 2014-08-26
2.1
None Local Low Not required Partial None None
QNAP TS-469U with firmware 4.0.7 Build 20140410, TS-459U, TS-EC1679U-RP, and SS-839 use world-readable permissions for /etc/config/shadow, which allows local users to obtain usernames and hashed passwords by reading the password.
1725 CVE-2014-5456 79 XSS 2014-08-25 2015-08-06
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Social Stats module before 7.x-1.5 for Drupal allows remote authenticated users with the "[Content Type]: Create new content" permission to inject arbitrary web script or HTML via vectors related to the configuration.
1726 CVE-2014-5450 200 +Info 2018-03-19 2018-04-20
2.1
None Local Low Not required Partial None None
Zarafa Collaboration Platform 4.1 uses world-readable permissions for /etc/zarafa/license, which allows local users to obtain sensitive information by reading license files.
1727 CVE-2014-5449 200 +Info 2014-10-20 2017-09-07
2.1
None Local Low Not required Partial None None
Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for the files in their tmp directory, which allows local users to obtain sensitive information by reading temporary session data.
1728 CVE-2014-5448 200 +Info 2014-10-20 2017-09-07
2.1
None Local Low Not required Partial None None
Zarafa 5.00 uses world-readable permissions for the files in the log directory, which allows local users to obtain sensitive information by reading the log files.
1729 CVE-2014-5447 200 +Info 2014-10-20 2015-11-17
2.1
None Local Low Not required Partial None None
Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0103.
1730 CVE-2014-5400 200 +Info 2015-04-03 2015-04-03
2.1
None Local Low Not required Partial None None
The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.
1731 CVE-2014-5398 20 DoS 2014-08-27 2014-08-28
2.1
None Local Low Not required Partial None None
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
1732 CVE-2014-5351 255 2014-10-09 2018-02-03
2.1
None Remote High Single system Partial None None
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
1733 CVE-2014-5270 200 +Info 2014-10-09 2017-11-03
2.1
None Local Low Not required Partial None None
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
1734 CVE-2014-5247 264 +Info 2014-08-29 2018-10-09
2.1
None Local Low Not required Partial None None
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
1735 CVE-2014-5240 79 XSS 2014-08-18 2015-11-25
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.
1736 CVE-2014-5231 200 +Info 2015-01-14 2015-11-13
2.1
None Local Low Not required Partial None None
The Siemens SIMATIC WinCC [email protected] app before 1.0.2 for iOS allows physically proximate attackers to extract the password from storage via unspecified vectors.
1737 CVE-2014-5171 310 +Info 2014-07-31 2018-10-09
2.9
None Local Network Medium Not required Partial None None
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.
1738 CVE-2014-5038 200 +Info 2014-11-07 2014-11-10
2.1
None Local Low Not required Partial None None
Eucalyptus 3.0.0 through 4.0.1, when the log level is set to DEBUG or lower, logs user and system passwords, which allows local users to obtain sensitive information by reading the cloud log files.
1739 CVE-2014-5037 200 +Info 2014-11-07 2014-11-10
2.1
None Local Low Not required Partial None None
Eucalyptus 4.0.0 through 4.0.1, when the log level is set to INFO, logs user and system passwords, which allows local users to obtain sensitive information by reading cloud-requests.log.
1740 CVE-2014-5021 79 XSS 2014-07-22 2014-07-22
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label.
1741 CVE-2014-5004 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database password on the mysql command line, which allows local users to obtain sensitive information by listing the process.
1742 CVE-2014-5003 20 +Priv 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
chef/travis-cookbooks/ci_environment/perlbrew/recipes/default.rb in the ciborg gem 3.0.0 for Ruby allows local users to write to arbitrary files and gain privileges via a symlink attack on /tmp/perlbrew-installer.
1743 CVE-2014-5002 255 +Info 2018-01-10 2019-05-06
2.1
None Local Low Not required Partial None None
The lynx gem before 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
1744 CVE-2014-5001 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/ksymfony1.rb in the kcapifony gem 2.1.6 for Ruby places database user passwords on the (1) mysqldump, (2) pg_dump, (3) mysql, and (4) psql command lines, which allows local users to obtain sensitive information by listing the processes.
1745 CVE-2014-5000 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
1746 CVE-2014-4999 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.
1747 CVE-2014-4998 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the mysql user password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
1748 CVE-2014-4997 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
1749 CVE-2014-4996 59 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.#{target_host}.
1750 CVE-2014-4994 20 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.
Total number of vulnerabilities : 4508   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 (This Page)36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.