CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1851 CVE-2014-5021 79 XSS 2014-07-22 2014-07-22
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label.
1852 CVE-2014-5004 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database password on the mysql command line, which allows local users to obtain sensitive information by listing the process.
1853 CVE-2014-5003 20 +Priv 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
chef/travis-cookbooks/ci_environment/perlbrew/recipes/default.rb in the ciborg gem 3.0.0 for Ruby allows local users to write to arbitrary files and gain privileges via a symlink attack on /tmp/perlbrew-installer.
1854 CVE-2014-5002 255 +Info 2018-01-10 2019-05-06
2.1
None Local Low Not required Partial None None
The lynx gem before 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
1855 CVE-2014-5001 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/ksymfony1.rb in the kcapifony gem 2.1.6 for Ruby places database user passwords on the (1) mysqldump, (2) pg_dump, (3) mysql, and (4) psql command lines, which allows local users to obtain sensitive information by listing the processes.
1856 CVE-2014-5000 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
1857 CVE-2014-4999 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.
1858 CVE-2014-4998 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the mysql user password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
1859 CVE-2014-4997 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
1860 CVE-2014-4996 59 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.#{target_host}.
1861 CVE-2014-4994 20 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.
1862 CVE-2014-4993 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
(1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and (2) lib/backup/cli/utility.rb in the backup_checksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by listing the process.
1863 CVE-2014-4992 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/cap-strap/helpers.rb in the cap-strap gem 0.1.5 for Ruby places credentials on the useradd command line, which allows local users to obtain sensitive information by listing the process.
1864 CVE-2014-4991 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
(1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
1865 CVE-2014-4974 200 +Info 2014-11-04 2017-08-28
2.1
None Local Low Not required Partial None None
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode driver, aka Personal Firewall module before Build 1212 (20140609), as used in multiple ESET products 5.0 through 7.0, allows local users to obtain sensitive information from kernel memory via crafted IOCTL calls.
1866 CVE-2014-4835 200 +Info 2015-01-17 2017-08-28
2.1
None Local Low Not required Partial None None
IBM ServerGuide before 9.63, UpdateXpress System Packs Installer (UXSPI) before 9.63, and ToolsCenter Suite before 9.63 place credentials in logs, which allows local users to obtain sensitive information by reading a file.
1867 CVE-2014-4818 200 +Info 2015-02-24 2015-11-30
2.1
None Local Low Not required Partial None None
dsmtca in the client in IBM Tivoli Storage Manager (TSM) 5.4.x, 5.5.x, 6.x before 6.4.3, and 7.1.x before 7.1.2 allows local users to discover the backup/restore encryption-key password via unspecified vectors.
1868 CVE-2014-4817 264 Bypass 2014-11-18 2017-08-28
2.1
None Local Low Not required None Partial None
The server in IBM Tivoli Storage Manager (TSM) 5.x and 6.x before 6.3.5.10 and 7.x before 7.1.1.100 allows remote attackers to bypass intended access restrictions and replace file backups by using a certain backup option in conjunction with a filename that matches a previously used filename.
1869 CVE-2014-4806 310 +Info 2014-08-29 2017-08-28
2.1
None Local Low Not required Partial None None
The installation process in IBM Security AppScan Enterprise 8.x before 8.6.0.2 iFix 003, 8.7.x before 8.7.0.1 iFix 003, 8.8.x before 8.8.0.1 iFix 002, and 9.0.x before 9.0.0.1 iFix 001 on Linux places a cleartext password in a temporary file, which allows local users to obtain sensitive information by reading this file.
1870 CVE-2014-4805 200 +Info 2014-09-04 2017-08-28
2.1
None Local Low Not required Partial None None
IBM DB2 10.5 before FP4 on Linux and AIX creates temporary files during CDE table LOAD operations, which allows local users to obtain sensitive information by reading a file while a LOAD is occurring.
1871 CVE-2014-4776 200 +Info 2015-05-20 2017-01-02
2.1
None Local Low Not required Partial None None
IBM License Metric Tool 9 before 9.1.0.2 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
1872 CVE-2014-4768 DoS 2015-06-28 2015-07-07
2.1
None Remote High Single system None None Partial
IBM Unified Extensible Firmware Interface (UEFI) on Flex System x880 X6, System x3850 X6, and System x3950 X6 devices allows remote authenticated users to cause an unspecified temporary denial of service by using privileged access to enable a legacy boot mode.
1873 CVE-2014-4757 264 Bypass 2014-08-11 2017-08-28
2.1
None Local Low Not required Partial None None
The Outlook Extension in IBM Content Collector 4.0.0.x before 4.0.0.0-ICC-OE-IF004 allows local users to bypass the intended Reviewer privilege requirement and read e-mail messages from an arbitrary mailbox by invoking the Search function.
1874 CVE-2014-4750 200 +Info 2014-08-20 2017-08-28
2.9
None Local Network Medium Not required Partial None None
IBM PowerVC Express Edition 1.2.0 before FixPack3 establishes an FTP session for transferring files to a managed IVM, which allows remote attackers to discover credentials by sniffing the network.
1875 CVE-2014-4747 200 +Info 2014-07-26 2017-01-06
2.1
None Local Low Not required Partial None None
The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows physically proximate attackers to discover a meeting password hash by leveraging access to an unattended workstation to read HTML source code within a victim's browser.
1876 CVE-2014-4721 200 +Info 2014-07-06 2017-01-06
2.6
None Remote High Not required Partial None None
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
1877 CVE-2014-4703 59 +Info 2014-12-05 2016-11-28
2.1
None Local Low Not required Partial None None
lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701.
1878 CVE-2014-4702 200 +Info 2014-12-05 2016-11-28
2.1
None Local Low Not required Partial None None
The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701.
1879 CVE-2014-4701 200 1 +Info 2014-12-05 2016-11-28
2.1
None Local Low Not required Partial None None
The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702.
1880 CVE-2014-4620 200 +Info 2014-10-25 2017-08-28
2.1
None Local Low Not required Partial None None
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.
1881 CVE-2014-4506 79 XSS 2014-06-20 2016-05-18
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Custom Meta module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer custom meta settings" permission to inject arbitrary web script or HTML via the (1) attribute or (2) content value for a meta tag.
1882 CVE-2014-4499 200 +Info 2015-01-30 2015-11-30
2.1
None Local Low Not required Partial None None
The App Store process in CommerceKit Framework in Apple OS X before 10.10.2 places Apple ID credentials in App Store logs, which allows local users to obtain sensitive information by reading a file.
1883 CVE-2014-4463 264 Bypass 2014-11-18 2017-08-28
2.1
None Local Low Not required Partial None None
Apple iOS before 8.1.1 allows physically proximate attackers to bypass the lock-screen protection mechanism, and view or transmit a Photo Library photo, via the FaceTime "Leave a Message" feature.
1884 CVE-2014-4460 200 +Info 2014-11-18 2017-08-28
2.1
None Local Low Not required Partial None None
CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1 does not properly clear the browsing cache upon a transition out of private-browsing mode, which makes it easier for physically proximate attackers to obtain sensitive information by reading cache files.
1885 CVE-2014-4455 264 Bypass 2014-11-18 2017-08-28
2.1
None Local Low Not required None Partial None
dyld in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly handle overlapping segments in Mach-O executable files, which allows local users to bypass intended code-signing restrictions via a crafted file.
1886 CVE-2014-4446 264 Bypass 2014-10-17 2017-08-28
2.1
None Remote High Single system Partial None None
Mail Service in Apple OS X Server before 4.0 does not enforce SACL changes until after a service restart, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a change made by an administrator.
1887 CVE-2014-4440 200 +Info 2014-10-17 2017-08-28
2.6
None Remote High Not required Partial None None
The MCX Desktop Config Profiles implementation in Apple OS X before 10.10 retains web-proxy settings from uninstalled mobile-configuration profiles, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging access to an unintended proxy server.
1888 CVE-2014-4431 264 2014-10-17 2017-08-28
2.1
None Local Low Not required Partial None None
Dock in Apple OS X before 10.10 does not properly manage the screen-lock state, which allows physically proximate attackers to view windows by leveraging an unattended workstation.
1889 CVE-2014-4403 200 Bypass +Info 2014-09-19 2017-08-28
2.1
None Local Low Not required Partial None None
The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table.
1890 CVE-2014-4367 264 2014-09-18 2017-08-28
2.1
None Local Low Not required None Partial None
Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physically proximate attackers to launch unintended calls by speaking a telephone number.
1891 CVE-2014-4364 310 2014-09-18 2017-08-28
2.9
None Local Network Medium Not required Partial None None
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash.
1892 CVE-2014-4357 200 +Info 2014-09-18 2017-08-28
2.1
None Local Low Not required Partial None None
Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log.
1893 CVE-2014-4356 200 +Info 2014-09-18 2017-08-28
2.1
None Local Low Not required Partial None None
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.
1894 CVE-2014-4352 310 +Info 2014-09-18 2017-08-28
2.1
None Local Low Not required Partial None None
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.
1895 CVE-2014-4330 119 DoS Overflow 2014-09-30 2018-10-09
2.1
None Local Low Not required None None Partial
The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
1896 CVE-2014-4303 79 XSS 2014-06-18 2016-09-06
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Touch theme 7.x-1.x before 7.x-1.9 for Drupal allow remote authenticated users with the Administer themes permission to inject arbitrary web script or HTML via vectors related to the (1) Twitter and (2) Facebook username settings.
1897 CVE-2014-4243 2014-07-17 2018-10-09
2.8
None Remote Medium Multiple systems None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to ENFED.
1898 CVE-2014-4222 2014-07-17 2018-10-09
2.1
None Remote High Single system Partial None None
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0 and 12.1.2.0 allows remote authenticated users to affect confidentiality via vectors related to plugin 1.1.
1899 CVE-2014-4208 2014-07-17 2018-10-09
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220.
1900 CVE-2014-4039 264 +Info 2014-06-17 2017-01-06
2.1
None Local Low Not required Partial None None
ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by reading files in this archive, as demonstrated by /var/log/messages and /etc/yaboot.conf.
Total number of vulnerabilities : 4610   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 (This Page)39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.