CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4251 CVE-2014-1375 264 Bypass 2014-07-01 2015-12-22
2.1
None Local Low Not required Partial None None
Intel Graphics Driver in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.
4252 CVE-2014-1360 20 Bypass 2014-07-01 2017-01-07
2.1
None Local Low Not required None Partial None
Lockdown in Apple iOS before 7.1.2 does not properly verify data from activation servers, which makes it easier for physically proximate attackers to bypass the Activation Lock protection mechanism via unspecified vectors.
4253 CVE-2014-1348 310 +Info 2014-07-01 2017-01-07
2.1
None Local Low Not required Partial None None
Mail in Apple iOS before 7.1.2 advertises the availability of data protection for attachments but stores cleartext attachments under mobile/Library/Mail/, which makes it easier for physically proximate attackers to obtain sensitive information by mounting the data partition.
4254 CVE-2014-1317 200 +Info 2014-07-01 2015-12-22
2.1
None Local Low Not required Partial None None
iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credentials in the iBooks log, which allows local users to obtain sensitive information by reading this file.
4255 CVE-2014-1279 264 +Info 2014-03-14 2019-03-08
2.1
None Local Low Not required Partial None None
Apple TV before 6.1 does not properly restrict logging, which allows local users to obtain sensitive information by reading log data.
4256 CVE-2014-1274 200 +Info 2014-03-14 2014-03-14
2.1
None Local Low Not required Partial None None
FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call.
4257 CVE-2014-1234 200 +Info 2014-01-10 2014-01-10
2.1
None Local Low Not required Partial None None
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
4258 CVE-2014-1233 200 +Info 2014-01-10 2014-01-10
2.1
None Local Low Not required Partial None None
The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.
4259 CVE-2014-0979 DoS 2014-01-23 2018-10-30
2.1
None Local Low Not required None None Partial
The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+ Greeter before 1.7.1 does not properly handle the return value from the lightdm_greeter_get_authentication_user function, which allows local users to cause a denial of service (NULL pointer dereference) via an empty username.
4260 CVE-2014-0905 264 2014-08-17 2017-08-29
2.9
None Local Network Medium Not required Partial None None
IBM InfoSphere BigInsights 2.0 through 2.1.2 does not set the secure flag for the LTPA cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
4261 CVE-2014-0876 119 DoS Overflow 2014-08-17 2017-08-29
2.1
None Local Low Not required None None Partial
Buffer overflow in the Java GUI Configuration Wizard and Preferences Editor in the backup-archive client in IBM Tivoli Storage Manager (TSM) 5.x and 6.x before 6.2.5.2, 6.3.x before 6.3.2, and 6.4.x before 6.4.2 on Windows and OS X allows local users to cause a denial of service (application crash or hang) via unspecified vectors.
4262 CVE-2014-0841 326 2018-04-27 2018-06-07
2.1
None Local Low Not required Partial None None
IBM Rational Focal Point 6.4.0, 6.4.1, 6.5.1, 6.5.2, and 6.6.0 use a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack. IBM X-Force ID: 90704.
4263 CVE-2014-0647 255 2014-01-28 2018-10-09
2.1
None Local Low Not required Partial None None
The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.
4264 CVE-2014-0624 +Priv Bypass 2014-03-06 2014-03-07
2.7
None Local Network Low ??? Partial None None
EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properly manage sessions, which allows remote authenticated users to gain privileges and bypass intended content-reading restrictions via unspecified vectors.
4265 CVE-2014-0595 119 Overflow 2014-05-08 2020-02-24
2.6
None Local High Not required Partial Partial None
/opt/novell/ncl/bin/nwrights in Novell Client for Linux in Novell Open Enterprise Server (OES) 11 Linux SP2 does not properly manage a certain array, which allows local users to obtain the S permission in opportunistic circumstances by leveraging the granting of the F permission by an administrator.
4266 CVE-2014-0591 119 DoS Overflow 2014-01-14 2018-10-30
2.6
None Remote High Not required None None Partial
The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature.
4267 CVE-2014-0430 2014-01-15 2017-08-29
2.8
None Remote Medium ??? None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
4268 CVE-2014-0420 2014-01-15 2019-12-17
2.8
None Remote Medium ??? None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication.
4269 CVE-2014-0406 2014-01-15 2017-08-29
2.4
None Local High ??? None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0404.
4270 CVE-2014-0404 2014-01-15 2017-08-29
2.4
None Local High ??? None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0406.
4271 CVE-2014-0381 2014-01-15 2014-02-07
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology, a different vulnerability than CVE-2014-0445.
4272 CVE-2014-0370 2014-01-15 2014-02-07
2.8
None Remote Medium ??? None None Partial
Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Clinical Trip Report.
4273 CVE-2014-0243 59 2018-07-19 2018-09-17
2.1
None Local Low Not required Partial None None
Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job.
4274 CVE-2014-0241 522 2019-12-13 2019-12-18
2.1
None Local Low Not required Partial None None
rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable
4275 CVE-2014-0219 20 DoS 2017-11-15 2019-01-08
2.1
None Local Low Not required None None Partial
Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.
4276 CVE-2014-0206 +Info 2014-06-25 2018-12-13
2.1
None Local Low Not required Partial None None
Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.
4277 CVE-2014-0202 255 +Info 2014-05-30 2014-06-26
2.1
None Local Low Not required Partial None None
The setup script in ovirt-engine-dwh, as used in the Red Hat Enterprise Virtualization Manager data warehouse (rhevm-dwh) package before 3.3.3, stores the history database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file.
4278 CVE-2014-0201 264 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports package (rhevm-reports) before 3.3.3, uses world-readable permissions on configuration files, which allows local users to obtain sensitive information by reading the files.
4279 CVE-2014-0200 264 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
The Red Hat Enterprise Virtualization Manager reports (rhevm-reports) package before 3.3.3-1 uses world-readable permissions on the datasource configuration file (js-jboss7-ds.xml), which allows local users to obtain sensitive information by reading the file.
4280 CVE-2014-0199 310 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
The setup script in ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports (rhevm-reports) package before 3.3.3, stores the reports database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file.
4281 CVE-2014-0189 310 2014-05-02 2016-08-26
2.1
None Local Low Not required Partial None None
virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file.
4282 CVE-2014-0181 264 Bypass 2014-04-27 2020-08-26
2.1
None Local Low Not required None Partial None
The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.
4283 CVE-2014-0164 310 +Info 2014-05-05 2014-06-30
2.1
None Local Low Not required Partial None None
openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file.
4284 CVE-2014-0142 369 DoS 2017-08-10 2017-11-04
2.1
None Local Low Not required None None Partial
QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.
4285 CVE-2014-0131 416 +Info 2014-03-24 2019-05-13
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.
4286 CVE-2014-0103 310 +Info 2014-07-29 2015-11-04
2.1
None Local Low Not required Partial None None
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.
4287 CVE-2014-0085 255 +Info 2014-04-17 2018-10-23
2.1
None Local Low Not required Partial None None
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
4288 CVE-2014-0084 20 DoS 2019-11-21 2019-11-25
2.1
None Local Low Not required None None Partial
Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly.
4289 CVE-2014-0083 916 2019-11-21 2019-12-19
2.1
None Local Low Not required Partial None None
The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords.
4290 CVE-2014-0059 200 +Info 2014-11-17 2016-10-01
2.1
None Local Low Not required Partial None None
JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file.
4291 CVE-2014-0056 287 2014-05-08 2014-06-05
2.1
None Remote High ??? Partial None None
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
4292 CVE-2014-0046 79 XSS 2014-02-27 2018-08-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.
4293 CVE-2013-7461 284 Bypass 2017-03-14 2017-03-16
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Change Control (MCC) 6.1.0 for Linux and earlier allows authenticated users to change files that are part of write protection rules via specific conditions.
4294 CVE-2013-7460 284 Bypass 2017-03-14 2017-03-17
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Application Control (MAC) 6.1.0 for Linux and earlier allows authenticated users to change binaries that are part of the Application Control whitelist and allows execution of binaries via specific conditions.
4295 CVE-2013-7458 200 +Info 2016-08-10 2018-08-08
2.1
None Local Low Not required Partial None None
linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file.
4296 CVE-2013-7421 269 2015-03-02 2020-05-19
2.1
None Local Low Not required None Partial None
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.
4297 CVE-2013-7393 59 +Priv 2014-07-28 2016-10-18
2.4
None Local High ??? None Partial Partial
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).
4298 CVE-2013-7273 DoS 2014-04-29 2014-04-30
2.1
None Local Low Not required None None Partial
GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name.
4299 CVE-2013-7203 200 +Info 2018-09-21 2018-11-19
2.1
None Local Low Not required Partial None None
gitolite before commit fa06a34 might allow local users to read arbitrary files in repositories via vectors related to the user umask when running gitolite setup.
4300 CVE-2013-7128 310 +Info 2013-12-17 2013-12-18
2.1
None Local Low Not required Partial None None
Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valve SteamOS Beta stores cleartext credentials in a .valve-bugreporter.cfg file upon a Remember Credentials action, which allows local users to obtain sensitive information by reading this file.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.