CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4051 CVE-2014-8399 DoS 2014-10-31 2014-11-03
2.1
None Local Low Not required None None Partial
The default configuration in systemd-shim 8 enables the Abandon debugging clause, which allows local users to cause a denial of service via unspecified vectors.
4052 CVE-2014-8335 255 +Info 2018-01-05 2018-01-19
2.1
None Local Low Not required Partial None None
(1) wp-dbmanager.php and (2) database-manage.php in the WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
4053 CVE-2014-8181 665 +Info 2019-11-06 2019-11-09
2.1
None Local Low Not required Partial None None
The kernel in Red Hat Enterprise Linux 7 and MRG-2 does not clear garbage data for SG_IO buffer, which may leaking sensitive information to userspace.
4054 CVE-2014-8180 287 DoS Bypass 2017-06-06 2017-06-14
2.1
None Local Low Not required None None Partial
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.
4055 CVE-2014-8136 264 DoS 2014-12-19 2018-10-30
2.1
None Local Low Not required None None Partial
The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors.
4056 CVE-2014-8135 DoS 2014-12-19 2015-01-10
2.1
None Local Low Not required None None Partial
The storageVolUpload function in storage/storage_driver.c in libvirt before 1.2.11 does not check a certain return value, which allows local users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted offset value in a "virsh vol-upload" command.
4057 CVE-2014-8133 264 Bypass 2014-12-17 2016-12-24
2.1
None Local Low Not required None Partial None
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.
4058 CVE-2014-7954 22 Dir. Trav. 2017-07-07 2018-10-09
2.1
None Local Low Not required None Partial None
Directory traversal vulnerability in the doSendObjectInfo method in frameworks/av/media/mtp/MtpServer.cpp in Android 4.4.4 allows physically proximate attackers with a direct connection to the target Android device to upload files outside of the sdcard via a .. (dot dot) in a name parameter of an MTP request.
4059 CVE-2014-7951 22 Dir. Trav. 2020-02-20 2020-02-25
2.1
None Local Low Not required None Partial None
Directory traversal vulnerability in the Android debug bridge (aka adb) in Android 4.0.4 allows physically proximate attackers with a direct connection to the target Android device to write to arbitrary files owned by system via a .. (dot dot) in the tar archive headers.
4060 CVE-2014-7835 79 XSS 2014-11-24 2020-12-01
2.1
None Remote High ??? None Partial None
webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.
4061 CVE-2014-7824 399 DoS 2014-11-18 2017-09-08
2.1
None Local Low Not required None None Partial
D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.
4062 CVE-2014-7231 200 +Info 2014-10-08 2018-11-16
2.1
None Local Low Not required Partial None None
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
4063 CVE-2014-7230 200 Exec Code +Info 2014-10-08 2018-11-16
2.1
None Local Low Not required Partial None None
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
4064 CVE-2014-6591 2015-01-21 2020-09-08
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585.
4065 CVE-2014-6585 2015-01-21 2020-09-08
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6591.
4066 CVE-2014-6558 2014-10-15 2020-09-08
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security.
4067 CVE-2014-6551 2014-10-15 2018-12-18
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality via vectors related to CLIENT:MYSQLADMIN.
4068 CVE-2014-6527 2014-10-15 2020-09-08
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476.
4069 CVE-2014-6502 2014-10-15 2020-09-08
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries.
4070 CVE-2014-6501 2014-10-15 2015-11-06
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality via vectors related to SSH.
4071 CVE-2014-6488 2014-10-15 2015-11-06
2.1
None Remote High ??? None Partial None
Unspecified vulnerability in the Enterprise Manager for Oracle Database component in Oracle Enterprise Manager Grid Control EM Base Platform: 10.2.0.5, 11.1.0.1 EM DB Control: 11.1.0.7, 11.2.0.3, 11.2.0.4 EM Plugin for DB: 12.1.0.4, 12.1.0.5, and 12.1.0.6 allows remote authenticated users to affect integrity via unknown vectors related to Content Management.
4072 CVE-2014-6381 20 DoS 2014-12-12 2014-12-16
2.9
None Local Network Medium Not required None None Partial
Juniper WLC devices with WLAN Software releases 8.0.x before 8.0.4, 9.0.x before 9.0.2.11, 9.0.3.x before 9.0.3.5, and 9.1.x before 9.1.1, when "Proxy ARP" or "No Broadcast" features are enabled in a clustered setup, allows remote attackers to cause a denial of service (device disconnect) via unspecified vectors.
4073 CVE-2014-6211 200 +Info 2015-05-20 2019-09-30
2.1
None Local Low Not required Partial None None
The command-line scripts in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 through 7.0.0.9, and 7.0 Feature Pack 2 through 8, when debugging is configured, do not properly restrict the logging of personal data, which allows local users to obtain sensitive information by reading a log file.
4074 CVE-2014-6160 264 Bypass 2014-12-29 2017-09-08
2.1
None Local Low Not required None Partial None
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.
4075 CVE-2014-6147 200 +Priv +Info 2015-02-19 2017-09-08
2.1
None Local Low Not required Partial None None
IBM Flex System Manager (FSM) 1.1.x.x, 1.2.0.x, 1.2.1.x, 1.3.0.0, 1.3.1.0, and 1.3.2.0 allows local users to obtain sensitive information, and consequently gain privileges or conduct impersonation attacks, via unspecified vectors.
4076 CVE-2014-6143 200 +Info 2014-12-11 2017-09-08
2.1
None Local Low Not required Partial None None
The IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows local users to obtain sensitive information by reading a response.
4077 CVE-2014-6133 +Info 2014-10-26 2017-09-08
2.1
None Local Low Not required Partial None None
IBM API Management 3.x before 3.0.1.0 allows local users to obtain sensitive ciphertext information via unspecified vectors.
4078 CVE-2014-6123 200 +Info 2014-12-29 2017-09-08
2.1
None Local Low Not required Partial None None
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.
4079 CVE-2014-6111 255 2018-04-20 2018-05-22
2.1
None Local Low Not required Partial None None
IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and Security Identity Manager 6.0.x before 6.0.0.4-ISS-SIM-IF0001 and 7.0.x before 7.0.0.0-ISS-SIM-IF0003 store encrypted user credentials and the keystore password in cleartext in configuration files, which allows local users to decrypt SIM credentials via unspecified vectors. IBM X-Force ID: 96180.
4080 CVE-2014-6110 284 2014-11-18 2017-09-08
2.1
None Local Low Not required None Partial None
IBM Security Identity Manager 6.x before 6.0.0.3 IF14 does not properly perform logout actions, which allows remote attackers to access sessions by leveraging an unattended workstation.
4081 CVE-2014-6102 264 Bypass 2015-02-17 2017-09-08
2.1
None Local Low Not required None Partial None
IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX008, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly handle logout actions, which allows remote attackers to bypass intended Cognos BI Direct Integration access restrictions by leveraging an unattended workstation.
4082 CVE-2014-5457 264 2014-08-25 2014-08-26
2.1
None Local Low Not required Partial None None
QNAP TS-469U with firmware 4.0.7 Build 20140410, TS-459U, TS-EC1679U-RP, and SS-839 use world-readable permissions for /etc/config/shadow, which allows local users to obtain usernames and hashed passwords by reading the password.
4083 CVE-2014-5456 79 XSS 2014-08-25 2015-08-06
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Social Stats module before 7.x-1.5 for Drupal allows remote authenticated users with the "[Content Type]: Create new content" permission to inject arbitrary web script or HTML via vectors related to the configuration.
4084 CVE-2014-5450 200 +Info 2018-03-19 2018-04-20
2.1
None Local Low Not required Partial None None
Zarafa Collaboration Platform 4.1 uses world-readable permissions for /etc/zarafa/license, which allows local users to obtain sensitive information by reading license files.
4085 CVE-2014-5449 200 +Info 2014-10-20 2017-09-08
2.1
None Local Low Not required Partial None None
Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for the files in their tmp directory, which allows local users to obtain sensitive information by reading temporary session data.
4086 CVE-2014-5448 200 +Info 2014-10-20 2017-09-08
2.1
None Local Low Not required Partial None None
Zarafa 5.00 uses world-readable permissions for the files in the log directory, which allows local users to obtain sensitive information by reading the log files.
4087 CVE-2014-5447 200 +Info 2014-10-20 2015-11-17
2.1
None Local Low Not required Partial None None
Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0103.
4088 CVE-2014-5400 200 +Info 2015-04-03 2015-04-03
2.1
None Local Low Not required Partial None None
The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.
4089 CVE-2014-5398 20 DoS 2014-08-28 2014-08-28
2.1
None Local Low Not required Partial None None
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
4090 CVE-2014-5351 255 2014-10-10 2020-01-21
2.1
None Remote High ??? Partial None None
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
4091 CVE-2014-5270 200 +Info 2014-10-10 2017-11-04
2.1
None Local Low Not required Partial None None
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
4092 CVE-2014-5247 264 +Info 2014-08-29 2018-10-09
2.1
None Local Low Not required Partial None None
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command.
4093 CVE-2014-5240 79 XSS 2014-08-18 2015-11-25
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.
4094 CVE-2014-5231 200 +Info 2015-01-14 2015-11-13
2.1
None Local Low Not required Partial None None
The Siemens SIMATIC WinCC [email protected] app before 1.0.2 for iOS allows physically proximate attackers to extract the password from storage via unspecified vectors.
4095 CVE-2014-5171 310 +Info 2014-07-31 2018-10-09
2.9
None Local Network Medium Not required Partial None None
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.
4096 CVE-2014-5118 20 Bypass 2019-11-18 2020-01-10
2.1
None Local Low Not required None Partial None
Trusted Boot (tboot) before 1.8.2 has a 'loader.c' Security Bypass Vulnerability
4097 CVE-2014-5038 200 +Info 2014-11-07 2014-11-10
2.1
None Local Low Not required Partial None None
Eucalyptus 3.0.0 through 4.0.1, when the log level is set to DEBUG or lower, logs user and system passwords, which allows local users to obtain sensitive information by reading the cloud log files.
4098 CVE-2014-5037 200 +Info 2014-11-07 2014-11-10
2.1
None Local Low Not required Partial None None
Eucalyptus 4.0.0 through 4.0.1, when the log level is set to INFO, logs user and system passwords, which allows local users to obtain sensitive information by reading cloud-requests.log.
4099 CVE-2014-5021 79 XSS 2014-07-22 2014-07-22
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label.
4100 CVE-2014-5004 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database password on the mysql command line, which allows local users to obtain sensitive information by listing the process.
Total number of vulnerabilities : 4561   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 (This Page)83 84 85 86 87 88 89 90 91 92
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.