CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1751 CVE-2014-0131 399 +Info 2014-03-24 2015-03-25
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.
1752 CVE-2014-0103 310 +Info 2014-07-29 2015-11-04
2.1
None Local Low Not required Partial None None
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.
1753 CVE-2014-0085 255 +Info 2014-04-17 2018-10-23
2.1
None Local Low Not required Partial None None
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
1754 CVE-2014-0059 200 +Info 2014-11-17 2016-09-30
2.1
None Local Low Not required Partial None None
JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file.
1755 CVE-2014-0056 287 2014-05-08 2014-06-05
2.1
None Remote High Single system Partial None None
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
1756 CVE-2014-0046 79 XSS 2014-02-27 2018-08-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.
1757 CVE-2013-7461 284 Bypass 2017-03-14 2017-03-16
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Change Control (MCC) 6.1.0 for Linux and earlier allows authenticated users to change files that are part of write protection rules via specific conditions.
1758 CVE-2013-7460 284 Bypass 2017-03-14 2017-03-17
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Application Control (MAC) 6.1.0 for Linux and earlier allows authenticated users to change binaries that are part of the Application Control whitelist and allows execution of binaries via specific conditions.
1759 CVE-2013-7458 200 +Info 2016-08-10 2018-08-08
2.1
None Local Low Not required Partial None None
linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file.
1760 CVE-2013-7421 264 2015-03-02 2018-01-04
2.1
None Local Low Not required None Partial None
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.
1761 CVE-2013-7393 59 +Priv 2014-07-28 2016-10-17
2.4
None Local High Single system None Partial Partial
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).
1762 CVE-2013-7273 DoS 2014-04-29 2014-04-30
2.1
None Local Low Not required None None Partial
GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name.
1763 CVE-2013-7203 200 +Info 2018-09-21 2018-11-19
2.1
None Local Low Not required Partial None None
gitolite before commit fa06a34 might allow local users to read arbitrary files in repositories via vectors related to the user umask when running gitolite setup.
1764 CVE-2013-7128 310 +Info 2013-12-17 2013-12-18
2.1
None Local Low Not required Partial None None
Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valve SteamOS Beta stores cleartext credentials in a .valve-bugreporter.cfg file upon a Remember Credentials action, which allows local users to obtain sensitive information by reading this file.
1765 CVE-2013-7127 310 +Info 2013-12-17 2017-08-28
2.1
None Local Low Not required Partial None None
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file.
1766 CVE-2013-7078 79 XSS 2014-01-19 2017-08-28
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. NOTE: this might be the same vulnerability as CVE-2013-7072.
1767 CVE-2013-7064 79 XSS 2014-04-29 2014-04-29
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the EU Cookie Compliance module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated administrators with the "Administer EU Cookie Compliance popup" permission to inject arbitrary web script or HTML via unspecified configuration values.
1768 CVE-2013-6986 310 Bypass +Info 2013-12-12 2013-12-19
2.1
None Local Low Not required Partial None None
The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in SQLite cache databases, which allows attackers to obtain sensitive information by reading data elements, as demonstrated by password elements.
1769 CVE-2013-6956 79 XSS 2013-12-13 2014-01-03
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Secure Access Service Web rewriting feature in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r17, 7.3 before 7.3r8, 7.4 before 7.4r6, and 8.0 before 8.0r1, when web rewrite is enabled, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
1770 CVE-2013-6497 17 DoS 2014-12-01 2017-08-28
2.1
None Local Low Not required None None Partial
clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file.
1771 CVE-2013-6494 17 DoS 2014-12-01 2014-12-02
2.1
None Local Low Not required None None Partial
fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a static name for its download cache, which allows local users to cause a denial of service (prevention of system updates).
1772 CVE-2013-6493 200 +Info 2014-03-03 2014-03-16
2.1
None Local Low Not required Partial None None
The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp.
1773 CVE-2013-6480 200 +Info 2014-01-07 2018-10-09
2.1
None Local Low Not required Partial None None
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
1774 CVE-2013-6436 264 DoS 2014-01-07 2015-01-02
2.1
None Local Low Not required None None Partial
The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command.
1775 CVE-2013-6402 59 2014-01-05 2014-03-05
2.1
None Local Low Not required None Partial None
base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file.
1776 CVE-2013-6398 264 Bypass 2014-01-15 2014-09-04
2.8
None Remote Medium Multiple systems Partial None None
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request.
1777 CVE-2013-6394 310 2013-12-13 2018-10-30
2.1
None Local Low Not required None Partial None
Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.
1778 CVE-2013-6387 79 XSS 2013-12-24 2014-01-03
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.
1779 CVE-2013-6372 255 2014-05-08 2014-05-09
2.1
None Local Low Not required Partial None None
The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.
1780 CVE-2013-6335 264 Bypass 2014-08-26 2017-08-28
2.6
None Local High Not required Partial Partial None
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and restore operations, which allows local users to bypass intended access restrictions via standard filesystem operations.
1781 CVE-2013-6223 255 2014-06-09 2014-06-24
2.1
None Local Low Not required Partial None None
LiveZilla before 5.1.1.0 stores the admin Base64 encoded username and password in a 1click file, which allows local users to obtain access by reading the file.
1782 CVE-2013-6216 +Priv 2014-04-12 2014-04-14
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in HP Array Configuration Utility, Array Diagnostics Utility, ProLiant Array Diagnostics, and SmartSSD Wear Gauge Utility 9.40 and earlier allows local users to gain privileges via unknown vectors.
1783 CVE-2013-6181 310 +Info 2013-12-27 2014-01-07
2.1
None Local Low Not required Partial None None
EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.
1784 CVE-2013-5964 79 XSS 2013-09-30 2013-10-10
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title.
1785 CVE-2013-5951 79 XSS 2014-03-25 2016-12-30
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer 2.1.3, when used as a component for Joomla!, allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) application.js.php in scripts/ or (2) admin.php, (3) copy_move.php, (4) functions.php, (5) header.php, or (6) upload.php in include/.
1786 CVE-2013-5908 2014-01-15 2017-08-28
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.
1787 CVE-2013-5875 2014-01-15 2017-08-28
2.7
None Local Medium Multiple systems None Partial Partial
Unspecified vulnerability in Oracle Solaris 11.1 allows local users to affect integrity and availability via vectors related to Role Based Access Control (RBAC).
1788 CVE-2013-5872 2014-01-15 2017-08-28
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via vectors related to Name Service Cache Daemon (NSCD).
1789 CVE-2013-5854 2013-10-16 2017-09-18
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in Oracle Java SE 7u40 and earlier and JavaFX 2.2.40 and earlier allows remote attackers to affect confidentiality via unknown vectors.
1790 CVE-2013-5837 2013-10-16 2013-10-17
2.1
None Remote High Single system Partial None None
Unspecified vulnerability in the Oracle Health Sciences InForm component in Oracle Industry Applications 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b, 5.0.3, and 5.0.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Cognos.
1791 CVE-2013-5808 2014-01-15 2014-02-06
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in the Oracle iPlanet Web Proxy Server component in Oracle Fusion Middleware 4.0 allows remote attackers to affect confidentiality via unknown vectors related to Administration.
1792 CVE-2013-5803 2013-10-16 2018-01-04
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via vectors related to JGSS.
1793 CVE-2013-5772 2013-10-16 2018-01-04
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u40 and earlier and Java SE 6u60 and earlier allows remote attackers to affect integrity via unknown vectors related to jhat.
1794 CVE-2013-5770 2013-10-16 2017-01-06
2.1
None Remote High Single system None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking.
1795 CVE-2013-5762 2013-10-16 2013-10-16
2.4
None Local High Single system Partial None Partial
Unspecified vulnerability in the Oracle Siebel CTMS component in Oracle Industry Applications 8.1.1.x allows local users to affect confidentiality and availability via unknown vectors related to SC-OC Integration.
1796 CVE-2013-5724 264 2013-09-12 2013-09-23
2.1
None Local Low Not required None Partial None
Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permissions for cache files, which allows local users to modify the file contents via standard filesystem write operations.
1797 CVE-2013-5679 310 Bypass 2013-09-30 2016-05-05
2.6
None Local High Not required Partial Partial None
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.
1798 CVE-2013-5587 79 XSS 2013-08-23 2013-08-26
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a ticket. NOTE: this issue has been SPLIT from CVE-2013-3371 due to different affected versions.
1799 CVE-2013-5440 200 +Info 2013-12-18 2017-08-28
2.1
None Local Low Not required Partial None None
IBM InfoSphere Information Server 8.0, 8.1, 8.5, 8.7, and 9.1 allows local users to obtain sensitive information in opportunistic circumstances by leveraging the presence of file content after a failed installation.
1800 CVE-2013-5429 287 2014-01-20 2017-08-28
2.1
None Remote High Single system None Partial None
The Risk Based Access functionality in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.2 before FP9 does not prevent reuse of One Time Password (OTP) tokens, which makes it easier for remote authenticated users to complete transactions by leveraging access to an already-used token.
Total number of vulnerabilities : 4356   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 (This Page)37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.