The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
Max CVSS
2.1
EPSS Score
0.04%
Published
2014-12-26
Updated
2018-01-05
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack.
Max CVSS
5.0
EPSS Score
0.48%
Published
2014-12-19
Updated
2018-10-09
The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.
Max CVSS
4.3
EPSS Score
0.18%
Published
2014-12-10
Updated
2014-12-11
Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint.
Max CVSS
4.0
EPSS Score
0.12%
Published
2014-12-19
Updated
2019-07-10
EntryPass N5200 Active Network Control Panel allows remote attackers to read device memory and obtain the administrator username and password via a URL starting with an ASCII character o through z or A through D, different vectors than CVE-2014-8868.
Max CVSS
7.8
EPSS Score
0.48%
Published
2014-12-07
Updated
2018-10-09
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.
Max CVSS
5.0
EPSS Score
0.50%
Published
2014-12-08
Updated
2021-01-12
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416.
Max CVSS
2.1
EPSS Score
0.04%
Published
2014-12-15
Updated
2016-03-21
Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418.
Max CVSS
5.0
EPSS Score
0.35%
Published
2014-12-15
Updated
2016-03-21
Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389.
Max CVSS
4.0
EPSS Score
0.15%
Published
2014-12-15
Updated
2016-03-21
Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382.
Max CVSS
5.0
EPSS Score
0.33%
Published
2014-12-15
Updated
2016-03-21
The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php.
Max CVSS
5.0
EPSS Score
0.61%
Published
2014-12-02
Updated
2017-09-08
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors.
Max CVSS
10.0
EPSS Score
0.53%
Published
2014-12-10
Updated
2018-12-20
The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file.
Max CVSS
4.0
EPSS Score
0.25%
Published
2014-12-01
Updated
2014-12-01
The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.
Max CVSS
4.0
EPSS Score
0.10%
Published
2014-12-01
Updated
2014-12-05
The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.18%
Published
2014-11-20
Updated
2014-11-21
Icecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors.
Max CVSS
5.0
EPSS Score
1.98%
Published
2014-12-03
Updated
2017-09-08
The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request.
Max CVSS
5.0
EPSS Score
0.32%
Published
2014-12-02
Updated
2018-10-09
GleamTech FileVista before 6.1 allows remote authenticated users to obtain sensitive information via a crafted path when saving a zip file, which reveals the installation path in an error message.
Max CVSS
4.0
EPSS Score
0.14%
Published
2014-12-02
Updated
2014-12-05
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
Max CVSS
5.0
EPSS Score
0.24%
Published
2014-12-03
Updated
2019-10-22
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.
Max CVSS
5.0
EPSS Score
0.66%
Published
2014-10-22
Updated
2016-04-04
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.
Max CVSS
5.0
EPSS Score
0.66%
Published
2014-10-22
Updated
2015-09-10
The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node.
Max CVSS
5.0
EPSS Score
0.16%
Published
2014-11-12
Updated
2014-11-13
The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7.x-2.2216 for Drupal logs usernames and passwords, which allows remote authenticated users with the "administer bad behavior" permission to obtain sensitive information by reading a log file.
Max CVSS
4.0
EPSS Score
0.15%
Published
2014-11-12
Updated
2019-07-16
The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.
Max CVSS
5.0
EPSS Score
0.62%
Published
2014-11-10
Updated
2017-09-08
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile."
Max CVSS
7.8
EPSS Score
42.92%
Published
2014-11-25
Updated
2015-02-17
356 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!