CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2001 CVE-2014-0219 20 DoS 2017-11-15 2019-01-08
2.1
None Local Low Not required None None Partial
Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.
2002 CVE-2014-0206 +Info 2014-06-25 2018-12-13
2.1
None Local Low Not required Partial None None
Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.
2003 CVE-2014-0202 255 +Info 2014-05-30 2014-06-26
2.1
None Local Low Not required Partial None None
The setup script in ovirt-engine-dwh, as used in the Red Hat Enterprise Virtualization Manager data warehouse (rhevm-dwh) package before 3.3.3, stores the history database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file.
2004 CVE-2014-0201 264 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports package (rhevm-reports) before 3.3.3, uses world-readable permissions on configuration files, which allows local users to obtain sensitive information by reading the files.
2005 CVE-2014-0200 264 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
The Red Hat Enterprise Virtualization Manager reports (rhevm-reports) package before 3.3.3-1 uses world-readable permissions on the datasource configuration file (js-jboss7-ds.xml), which allows local users to obtain sensitive information by reading the file.
2006 CVE-2014-0199 310 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
The setup script in ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports (rhevm-reports) package before 3.3.3, stores the reports database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file.
2007 CVE-2014-0189 310 2014-05-02 2016-08-26
2.1
None Local Low Not required Partial None None
virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file.
2008 CVE-2014-0181 264 Bypass 2014-04-26 2018-10-30
2.1
None Local Low Not required None Partial None
The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.
2009 CVE-2014-0164 310 +Info 2014-05-05 2014-06-30
2.1
None Local Low Not required Partial None None
openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file.
2010 CVE-2014-0142 369 DoS 2017-08-10 2017-11-03
2.1
None Local Low Not required None None Partial
QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.
2011 CVE-2014-0131 416 +Info 2014-03-24 2019-05-13
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.
2012 CVE-2014-0103 310 +Info 2014-07-29 2015-11-04
2.1
None Local Low Not required Partial None None
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.
2013 CVE-2014-0085 255 +Info 2014-04-17 2018-10-23
2.1
None Local Low Not required Partial None None
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
2014 CVE-2014-0059 200 +Info 2014-11-17 2016-09-30
2.1
None Local Low Not required Partial None None
JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file.
2015 CVE-2014-0056 287 2014-05-08 2014-06-05
2.1
None Remote High Single system Partial None None
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
2016 CVE-2014-0046 79 XSS 2014-02-27 2018-08-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.
2017 CVE-2013-7461 284 Bypass 2017-03-14 2017-03-16
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Change Control (MCC) 6.1.0 for Linux and earlier allows authenticated users to change files that are part of write protection rules via specific conditions.
2018 CVE-2013-7460 284 Bypass 2017-03-14 2017-03-17
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Application Control (MAC) 6.1.0 for Linux and earlier allows authenticated users to change binaries that are part of the Application Control whitelist and allows execution of binaries via specific conditions.
2019 CVE-2013-7458 200 +Info 2016-08-10 2018-08-08
2.1
None Local Low Not required Partial None None
linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file.
2020 CVE-2013-7421 264 2015-03-02 2018-01-04
2.1
None Local Low Not required None Partial None
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.
2021 CVE-2013-7393 59 +Priv 2014-07-28 2016-10-17
2.4
None Local High Single system None Partial Partial
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).
2022 CVE-2013-7273 DoS 2014-04-29 2014-04-30
2.1
None Local Low Not required None None Partial
GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name.
2023 CVE-2013-7203 200 +Info 2018-09-21 2018-11-19
2.1
None Local Low Not required Partial None None
gitolite before commit fa06a34 might allow local users to read arbitrary files in repositories via vectors related to the user umask when running gitolite setup.
2024 CVE-2013-7128 310 +Info 2013-12-17 2013-12-18
2.1
None Local Low Not required Partial None None
Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valve SteamOS Beta stores cleartext credentials in a .valve-bugreporter.cfg file upon a Remember Credentials action, which allows local users to obtain sensitive information by reading this file.
2025 CVE-2013-7127 310 +Info 2013-12-17 2017-08-28
2.1
None Local Low Not required Partial None None
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file.
2026 CVE-2013-7078 79 XSS 2014-01-19 2017-08-28
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. NOTE: this might be the same vulnerability as CVE-2013-7072.
2027 CVE-2013-7064 79 XSS 2014-04-29 2014-04-29
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the EU Cookie Compliance module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated administrators with the "Administer EU Cookie Compliance popup" permission to inject arbitrary web script or HTML via unspecified configuration values.
2028 CVE-2013-6986 310 Bypass +Info 2013-12-12 2013-12-19
2.1
None Local Low Not required Partial None None
The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in SQLite cache databases, which allows attackers to obtain sensitive information by reading data elements, as demonstrated by password elements.
2029 CVE-2013-6956 79 XSS 2013-12-13 2014-01-03
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Secure Access Service Web rewriting feature in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r17, 7.3 before 7.3r8, 7.4 before 7.4r6, and 8.0 before 8.0r1, when web rewrite is enabled, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
2030 CVE-2013-6497 17 DoS 2014-12-01 2017-08-28
2.1
None Local Low Not required None None Partial
clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file.
2031 CVE-2013-6494 17 DoS 2014-12-01 2014-12-02
2.1
None Local Low Not required None None Partial
fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a static name for its download cache, which allows local users to cause a denial of service (prevention of system updates).
2032 CVE-2013-6493 200 +Info 2014-03-03 2014-03-16
2.1
None Local Low Not required Partial None None
The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp.
2033 CVE-2013-6480 200 +Info 2014-01-07 2018-10-09
2.1
None Local Low Not required Partial None None
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
2034 CVE-2013-6436 264 DoS 2014-01-07 2015-01-02
2.1
None Local Low Not required None None Partial
The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command.
2035 CVE-2013-6402 59 2014-01-05 2014-03-05
2.1
None Local Low Not required None Partial None
base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file.
2036 CVE-2013-6398 264 Bypass 2014-01-15 2014-09-04
2.8
None Remote Medium Multiple systems Partial None None
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request.
2037 CVE-2013-6394 310 2013-12-13 2018-10-30
2.1
None Local Low Not required None Partial None
Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.
2038 CVE-2013-6387 79 XSS 2013-12-24 2014-01-03
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.
2039 CVE-2013-6372 255 2014-05-08 2014-05-09
2.1
None Local Low Not required Partial None None
The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.
2040 CVE-2013-6335 264 Bypass 2014-08-26 2017-08-28
2.6
None Local High Not required Partial Partial None
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and restore operations, which allows local users to bypass intended access restrictions via standard filesystem operations.
2041 CVE-2013-6223 255 2014-06-09 2014-06-24
2.1
None Local Low Not required Partial None None
LiveZilla before 5.1.1.0 stores the admin Base64 encoded username and password in a 1click file, which allows local users to obtain access by reading the file.
2042 CVE-2013-6216 +Priv 2014-04-12 2014-04-14
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in HP Array Configuration Utility, Array Diagnostics Utility, ProLiant Array Diagnostics, and SmartSSD Wear Gauge Utility 9.40 and earlier allows local users to gain privileges via unknown vectors.
2043 CVE-2013-6181 310 +Info 2013-12-27 2014-01-07
2.1
None Local Low Not required Partial None None
EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.
2044 CVE-2013-5964 79 XSS 2013-09-30 2013-10-10
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title.
2045 CVE-2013-5951 79 XSS 2014-03-25 2016-12-30
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer 2.1.3, when used as a component for Joomla!, allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) application.js.php in scripts/ or (2) admin.php, (3) copy_move.php, (4) functions.php, (5) header.php, or (6) upload.php in include/.
2046 CVE-2013-5908 2014-01-15 2017-08-28
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.
2047 CVE-2013-5875 2014-01-15 2017-08-28
2.7
None Local Medium Multiple systems None Partial Partial
Unspecified vulnerability in Oracle Solaris 11.1 allows local users to affect integrity and availability via vectors related to Role Based Access Control (RBAC).
2048 CVE-2013-5872 2014-01-15 2017-08-28
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via vectors related to Name Service Cache Daemon (NSCD).
2049 CVE-2013-5854 2013-10-16 2017-09-18
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in Oracle Java SE 7u40 and earlier and JavaFX 2.2.40 and earlier allows remote attackers to affect confidentiality via unknown vectors.
2050 CVE-2013-5837 2013-10-16 2013-10-17
2.1
None Remote High Single system Partial None None
Unspecified vulnerability in the Oracle Health Sciences InForm component in Oracle Industry Applications 4.6 SP0, 4.6 SP0a-c, 4.6 SP1, 4.6 SP1a-c, 4.6 SP2, 4.6 SP2a-c, 5.0 SP0, 5.0 SP0a, 5.0 SP1, 5.0 SP1a-b, 5.0.3, and 5.0.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Cognos.
Total number of vulnerabilities : 4610   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 (This Page)42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.