CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2351 CVE-2014-4150 59 2018-07-20 2018-09-18
3.6
None Local Low Not required None Partial Partial
The scheme48-send-definition function in cmuscheme48.el in Scheme 48 allows local users to write to arbitrary files via a symlink attack on /tmp/s48lose.tmp.
2352 CVE-2014-3986 59 2014-06-08 2014-06-09
3.3
None Local Medium Not required None Partial Partial
include/tests_webservers in Lynis before 1.5.5 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.*.unsorted file with an easily determined name.
2353 CVE-2014-3982 59 2014-06-08 2014-06-09
3.3
None Local Medium Not required None Partial Partial
include/tests_webservers in Lynis before 1.5.5 on AIX allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.##### file.
2354 CVE-2014-3981 59 2014-06-08 2017-01-06
3.3
None Local Medium Not required None Partial Partial
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
2355 CVE-2014-3949 79 XSS 2014-06-04 2014-06-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the layout wizard in the Grid Elements (gridelements) extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.
2356 CVE-2014-3943 79 XSS 2014-06-03 2017-12-28
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters.
2357 CVE-2014-3933 79 XSS 2014-06-02 2015-09-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the address components field formatter in the AddressField Tokens module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via an address field.
2358 CVE-2014-3917 200 DoS +Info 2014-06-05 2016-04-01
3.3
None Local Medium Not required Partial None Partial
kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number.
2359 CVE-2014-3903 79 XSS 2014-08-19 2017-07-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Cakifo theme 1.x before 1.6.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via crafted Exif data.
2360 CVE-2014-3887 79 XSS 2017-04-13 2017-04-20
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in I-O DATA DEVICE RockDisk with firmware before 1.05e1-2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. NOTE: This vulnerability exists because of an incomplete fix for CVE-2013-4713.
2361 CVE-2014-3840 79 1 XSS 2014-05-27 2014-06-18
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name field in a bootstrap setup, or Title field in a (4) smart link or (5) web form.
2362 CVE-2014-3801 200 +Info 2014-05-23 2017-12-28
3.5
None Remote Medium Single system Partial None None
OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list.
2363 CVE-2014-3740 79 1 XSS 2014-09-11 2018-10-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.
2364 CVE-2014-3717 20 DoS Overflow 2014-05-19 2018-10-30
3.3
None Local Medium Not required Partial None Partial
Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kernels, which allows local users to read system memory or cause a denial of service (crash) via a crafted kernel, which triggers a buffer overflow.
2365 CVE-2014-3715 119 DoS Overflow 2014-05-19 2018-10-30
3.3
None Local Medium Not required Partial None Partial
Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit guest kernel, related to searching for an appended DTB.
2366 CVE-2014-3714 20 DoS Overflow 2014-05-19 2018-10-30
3.3
None Local Medium Not required Partial None Partial
The ARM image loading functionality in Xen 4.4.x does not properly validate kernel length, which allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit ARM guest kernel in an image, which triggers a buffer overflow.
2367 CVE-2014-3594 79 XSS 2014-08-22 2018-10-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.
2368 CVE-2014-3559 264 +Info 2014-08-06 2017-08-28
3.5
None Remote Medium Single system Partial None None
The oVirt storage backend in Red Hat Enterprise Virtualization 3.4 does not wipe memory snapshots when deleting a VM, even when wipe-after-delete (WAD) is configured for the VM's disk, which allows remote authenticated users with certain credentials to read portions of the deleted VM's memory and obtain sensitive information via an uninitialized storage volume.
2369 CVE-2014-3551 79 XSS 2014-07-29 2015-10-08
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.
2370 CVE-2014-3544 79 1 XSS 2014-07-29 2015-08-31
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.
2371 CVE-2014-3531 79 XSS 2017-10-18 2017-10-27
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description.
2372 CVE-2014-3474 79 XSS 2014-10-31 2018-10-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.
2373 CVE-2014-3424 59 2014-05-08 2015-04-09
3.3
None Local Medium Not required None Partial Partial
lisp/net/tramp-sh.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/tramp.##### temporary file.
2374 CVE-2014-3423 59 2014-05-08 2015-04-09
3.3
None Local Medium Not required None Partial Partial
lisp/net/browse-url.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/Mosaic.##### temporary file.
2375 CVE-2014-3422 59 2014-05-08 2015-04-09
3.3
None Local Medium Not required None Partial Partial
lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/.
2376 CVE-2014-3421 59 2014-05-08 2015-04-09
3.3
None Local Medium Not required None Partial Partial
lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppm temporary file.
2377 CVE-2014-3363 79 XSS 2014-09-11 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the web framework in Cisco Unified Communications Manager (UCM) 9.1(2.10000.28) allows remote authenticated users to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuq68443.
2378 CVE-2014-3147 79 XSS 2014-10-09 2014-10-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the auto-complete feature in Splunk Enterprise before 6.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a CSV file.
2379 CVE-2014-3111 79 XSS 2014-10-21 2018-10-09
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in FOG 0.27 through 0.32 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Printer Model field to the Printer Management page, (2) Image Name field to the Image Management page, (3) Storage Group Name field to the Storage Management page, (4) Username field to the User Cleanup FOG Configuration page, or (5) Directory Path field to the Directory Cleaner FOG Configuration page.
2380 CVE-2014-3102 79 XSS 2014-08-12 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.0 through 7.0.0.2 CF28 and 8.0.0 before 8.0.0.1 CF13 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2381 CVE-2014-3096 79 XSS 2015-01-09 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management before 6.0.5.5a allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2382 CVE-2014-3095 20 DoS 2014-09-04 2017-08-28
3.5
None Remote Medium Single system None None Partial
The SQL engine in IBM DB2 9.5 through FP10, 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) via a crafted UNION clause in a subquery of a SELECT statement.
2383 CVE-2014-3075 79 XSS 2014-09-04 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.0.x allows remote authenticated users to inject arbitrary web script or HTML via an uploaded file.
2384 CVE-2014-3069 Http R.Spl. 2014-08-11 2017-08-28
3.5
None Remote Medium Single system None Partial None
Multiple CRLF injection vulnerabilities in the Universal Access component in IBM Curam Social Program Management (SPM) 6.0.5.5, when WebSphere Application Server is not used, allow remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified parameters.
2385 CVE-2014-3052 16 +Info 2014-06-21 2017-08-28
3.3
None Local Network Low Not required Partial None None
The reverse-proxy feature in IBM Security Access Manager (ISAM) for Web 8.0 with firmware 8.0.0.2 and 8.0.0.3 interprets the jct-nist-compliance parameter in the opposite of the intended manner, which makes it easier for remote attackers to obtain sensitive information by leveraging weak SSL encryption settings that lack NIST SP 800-131A compliance.
2386 CVE-2014-3050 200 +Info 2014-07-29 2017-08-28
3.5
None Remote Medium Single system Partial None None
IBM Rational Team Concert (RTC) 3.x before 3.0.1.6 IF3 and 4.x before 4.0.7 does not properly integrate with build engines, which allows remote authenticated users to discover credentials via unspecified vectors.
2387 CVE-2014-3038 264 Bypass 2014-06-08 2017-08-28
3.6
None Local Low Not required Partial Partial None
IBM SPSS Modeler 16.0 before 16.0.0.1 on UNIX does not properly drop group privileges, which allows local users to bypass intended file-access restrictions by leveraging (1) gid 0 or (2) root's group memberships.
2388 CVE-2014-3035 79 XSS 2014-08-26 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM Emptoris Spend Analysis 9.5.x before 9.5.0.4, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2389 CVE-2014-3034 79 XSS 2014-08-26 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix 10, 10.0.0.x before 10.0.0.1 iFix 10, 10.0.1.x before 10.0.1.4, and 10.0.2.x before 10.0.2.2 iFix 2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2390 CVE-2014-3033 79 XSS 2014-08-26 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM Emptoris Sourcing Portfolio 9.5.x before 9.5.1.3, 10.0.0.x before 10.0.0.1, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2391 CVE-2014-3032 79 XSS 2015-01-17 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Web GUI in IBM Tivoli Netcool/OMNIbus 7.3.0 before 7.3.0.6, 7.3.1 before 7.3.1.7, and 7.4.0 before 7.4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2392 CVE-2014-3031 79 XSS 2014-08-11 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in IBM Tivoli Business Service Manager 4.2.0 before 4.2.0.0 IF12 and 4.2.1 before 4.2.1.3 IF9 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2393 CVE-2014-3026 Http R.Spl. 2014-07-29 2017-08-28
3.5
None Remote Medium Single system None Partial None
CRLF injection vulnerability in IBM Maximo Asset Management 7.5 through 7.5.0.6, and 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
2394 CVE-2014-3025 79 XSS 2014-07-30 2017-08-28
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.2, and 7.2 for Tivoli Asset Management for IT and certain other products allow remote authenticated users to inject arbitrary web script or HTML via unspecified input to a .jsp file under webclient/utility/.
2395 CVE-2014-3014 79 XSS 2014-05-26 2017-08-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2396 CVE-2014-3013 79 XSS 2014-06-18 2017-08-28
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in IBM Curam Social Program Management 4.5 SP10 through 6.0.5.4 allow remote authenticated users to inject arbitrary web script or HTML via crafted input to a (1) custom JSP or (2) custom renderer.
2397 CVE-2014-3012 Http R.Spl. 2014-06-18 2017-08-28
3.5
None Remote Medium Single system None Partial None
Multiple CRLF injection vulnerabilities in IBM Curam Social Program Management 5.2 SP1 through 6.0.5.4 allow remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified parameters to custom JSPs.
2398 CVE-2014-3009 20 2014-08-01 2017-08-28
3.5
None Remote Medium Single system None Partial None
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct phishing attacks via a crafted web site.
2399 CVE-2014-2995 79 XSS 2014-10-17 2017-08-28
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors, as demonstrated by the twitget_consumer_key parameter to wp-admin/options-general.php.
2400 CVE-2014-2971 79 XSS 2014-07-24 2014-07-25
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in AddStdLetter.jsp in MicroPact iComplaints before 8.0.2.1.8.8014 allows remote authenticated users to inject arbitrary web script or HTML via the description parameter.
Total number of vulnerabilities : 3652   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 (This Page)49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.