CVE Daily
← All years

All CVEs — 2014

Page 32/34.

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0
2014-02-06
Medium

CVE-2013-7319

Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2013-6486

gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction o…

CVSS: 9.3 CWE: CWE-20
Read more
Medium

CVE-2013-6485

Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chu…

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2013-6484

The STUN protocol implementation in libpurple in Pidgin before 2.10.8 allows remote STUN servers to cause a denial of service (out-of-bounds write operation and application crash) by triggering a soc…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2013-6483

The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remo…

CVSS: 6.4 CWE: CWE-20
Read more
Medium

CVE-2013-6478

gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with underlying library support for wide Pango layouts, which allows user-assisted remote attackers to cause a denial of service (applic…

CVSS: 4.3 CWE: CWE-20
Read more
Medium

CVE-2013-5983

Multiple cross-site scripting (XSS) vulnerabilities in GuppY before 4.6.28 allow remote attackers to inject arbitrary web script or HTML via the (1) "an" parameter to agenda.php or (2) cat parameter…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2012-6152

The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2014-1491

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does n…

CVSS: 4.3 CWE: CWE-326
Read more
Critical

CVE-2014-1490

Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24…

CVSS: 9.3 CWE: CWE-362
Read more
High

CVE-2014-1487

The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Polic…

CVSS: 7.5 CWE: CWE-346
Read more
Critical

CVE-2014-1486

Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers t…

CVSS: 9.8 CWE: CWE-416
Read more
Medium

CVE-2014-1484

Mozilla Firefox before 27.0 on Android 4.2 and earlier creates system-log entries containing profile paths, which allows attackers to obtain sensitive information via a crafted application.

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-1483

Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain t…

CVSS: 5.0 CWE: CWE-1021
Read more
High

CVE-2014-1482

RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent access to discarded data, which allows remote attacke…

CVSS: 8.8 CWE: CWE-787
Read more
Medium

CVE-2014-1480

The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjac…

CVSS: 4.3 CWE: CWE-1021
Read more
Critical

CVE-2014-1478

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and applicat…

CVSS: 10.0 CWE: CWE-787
Read more
2014-02-05
Medium

CVE-2013-2074

kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials via a crafted request that triggers an "internal server error," which includes the username and pa…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-1833

Directory traversal vulnerability in uupdate in devscripts 2.14.1 allows remote attackers to modify arbitrary files via a crafted .orig.tar file, related to a symlink.

CVSS: 5.0 CWE: CWE-22
Read more
Medium

CVE-2013-1880

Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2011-3344

Cross-site scripting (XSS) vulnerability in the Lookup Login/Password form in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allows remote attackers to inject arbitrary web script or HTML…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2011-2927

Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allow remote attackers to inject arbitrary web script or HTML via vectors related to…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2011-2920

Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allow remote attackers to inject arbitrary web script or HTML via the "Filter by Syno…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2011-2919

Cross-site scripting (XSS) vulnerability in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allows remote attackers to inject arbitrary web script or HTML via the QueryString to the System…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2011-1594

Open redirect vulnerability in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in th…

CVSS: 5.8 CWE: CWE-20
Read more
Medium

CVE-2014-1403

Cross-site scripting (XSS) vulnerability in name.html in easyXDM before 2.4.19 allows remote attackers to inject arbitrary web script or HTML via the location.hash value.

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2013-4978

Stack-based buffer overflow in AloahaPDFViewer 5.0.0.7 and earlier in Aloaha PDF Suite FREE allows remote attackers to execute arbitrary code via a crafted PDF file.

CVSS: 9.3 CWE: CWE-119
Read more
Medium

CVE-2013-3639

Multiple cross-site scripting (XSS) vulnerabilities in Xaraya 2.4.0-b1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) id, (2) interface, (3) name, or (4) tabmod…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2013-2691

Stack-based buffer overflow in the JetMPG.ax module in jetAudio 8.0.17 allows remote attackers to execute arbitrary code via a crafted MPEG2-TS video file, related to the MPEG2 transport stream.

CVSS: 9.3 CWE: CWE-119
Read more
Medium

CVE-2013-1967

Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to i…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2013-1852

SQL injection vulnerability in leaguemanager.php in the LeagueManager plugin before 3.8.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the league_id parameter in the le…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2013-1470

Cross-site scripting (XSS) vulnerability in calendar/index.php in the Calendar plugin in Geeklog before 1.8.2sr1 and 2.0.0 before 2.0.0rc2 allows remote attackers to inject arbitrary web script or HT…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-1466

Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) addre…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2014-0497

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute ar…

CVSS: 9.8 CWE: CWE-191
Read more
2014-02-04
Medium

CVE-2011-2725

Directory traversal vulnerability in Ark 4.7.x and earlier allows remote attackers to delete and force the display of arbitrary files via .. (dot dot) sequences in a zip file.

CVSS: 6.8 CWE: CWE-22
Read more
Medium

CVE-2012-6493

Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Security Console before 5.5.4 allows remote attackers to hijack the authentication of unspecified victims for requests that delete sc…

CVSS: 6.8 CWE: CWE-352
Read more
Low

CVE-2014-1458

Cross-site scripting (XSS) vulnerability in the web administration interface in FortiGuard FortiWeb 5.0.3 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML…

CVSS: 3.5 CWE: CWE-79
Read more
Critical

CVE-2012-2108

Stack-based buffer overflow in the main function in util/lpci_main.c in Csound before 5.17.2, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted fil…

CVSS: 9.3 CWE: CWE-119
Read more
Medium

CVE-2014-1694

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/…

CVSS: 6.8 CWE: CWE-352
Read more
High

CVE-2014-1471

SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows…

CVSS: 7.5 CWE: CWE-89
Read more
Low

CVE-2014-0019

Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CON…

CVSS: 1.9 CWE: CWE-119
Read more
High

CVE-2013-3365

TRENDnet TEW-812DRU router allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) wan network prefix to internet/ipv6.asp; (2) remote port to adm/manageme…

CVSS: 8.5 CWE: CWE-78
Read more
Medium

CVE-2013-3098

Multiple cross-site request forgery (CSRF) vulnerabilities in TRENDnet TEW-812DRU router with firmware before 1.0.9.0 allow remote attackers to hijack the authentication of administrators for request…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-0834

IBM General Parallel File System (GPFS) 3.4 through 3.4.0.27 and 3.5 through 3.5.0.16 allows attackers to cause a denial of service (daemon crash) via crafted arguments to a setuid program.

CVSS: 4.0 CWE: CWE-20
Read more
High

CVE-2013-7183

cgi-bin/reboot.cgi on Seowon Intech SWC-9100 routers allows remote attackers to (1) cause a denial of service (reboot) via a default_reboot action or (2) reset all configuration values via a factory_…

CVSS: 7.8 CWE: CWE-287
Read more
Medium

CVE-2013-7182

Cross-site scripting (XSS) vulnerability in firewall/schedule/recurrdlg in Fortinet FortiOS 5.0.5 allows remote attackers to inject arbitrary web script or HTML via the mkey parameter.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-7181

Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2013-7179

The ping functionality in cgi-bin/diagnostic.cgi on Seowon Intech SWC-9100 routers allows remote attackers to execute arbitrary commands via shell metacharacters in the ping_ipaddr parameter.

CVSS: 8.3 CWE: CWE-20
Read more
Critical

CVE-2013-6035

The firmware on GateHouse; Harris BGAN RF-7800B-VU204 and BGAN RF-7800B-DU204; Hughes Network Systems 9201, 9450, and 9502; Inmarsat; Japan Radio JUE-250 and JUE-500; and Thuraya IP satellite termina…

CVSS: 10.0 CWE: CWE-287
Read more
Low

CVE-2013-6033

Multiple cross-site scripting (XSS) vulnerabilities on Lexmark W840 through LS.HA.P252, T64x before LS.ST.P344, C935dn through LC.JO.P091, C920 through LS.TA.P152, C53x through LS.SW.P069, C52x throu…

CVSS: 3.5 CWE: CWE-79
Read more
Critical

CVE-2013-6032

cgi-bin/postpf/cgi-bin/dynamic/config/config.html on Lexmark X94x before LC.BR.P142, X85x through LC4.BE.P487, X644 and X646 before LC2.MC.P374, X642 through LC2.MB.P318, W840 through LS.HA.P252, T64…

CVSS: 10.0 CWE: CWE-20
Read more
Medium

CVE-2013-5427

Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere Master Data Management - Collaborative Edition 10.x before 10.1 FP8 through 11.0 and InfoSphere Master Data Management Server for Pro…

CVSS: 6.8 CWE: CWE-352
Read more
2014-02-03
Medium

CVE-2013-4739

The MSM camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to obtain sensitive information…

CVSS: 4.9 CWE: CWE-200
Read more
High

CVE-2013-4738

Multiple stack-based buffer overflows in the MSM camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow a…

CVSS: 7.2 CWE: CWE-119
Read more
Low

CVE-2011-4327

ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information…

CVSS: 2.1 CWE: CWE-200
Read more
2014-02-02
Medium

CVE-2013-0234

Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg before 1.7.17 and 1.8.x before 1.8.13 allows remote attackers to inject arbitrary web script or HTML via the params[twitter_user…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-0015

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via…

CVSS: 4.0 CWE: CWE-287
Read more
Medium

CVE-2013-7300

Absolute path traversal vulnerability in cantata before 1.2.2 allows local users to read arbitrary files via a full pathname in a request to the internal httpd server. NOTE: this vulnerability can b…

CVSS: 5.0 CWE: CWE-22
Read more
2014-02-01
Low

CVE-2014-0832

Multiple cross-site scripting (XSS) vulnerabilities in configuration-details screens in the OAC component in IBM Financial Transaction Manager (FTM) 2.0 before 2.0.0.3 allow remote authenticated user…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-0831

Cross-site request forgery (CSRF) vulnerability in the OAC component in IBM Financial Transaction Manager (FTM) 2.0 before 2.0.0.3 allows remote attackers to hijack the authentication of arbitrary us…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-0830

Directory traversal vulnerability in the table-export implementation in the OAC component in IBM Financial Transaction Manager (FTM) 2.0 before 2.0.0.3 and 2.1 before 2.1.0.1 allows remote authentica…

CVSS: 4.0 CWE: CWE-22
Read more
Medium

CVE-2014-0812

Cross-site scripting (XSS) vulnerability in KENT-WEB Joyful Note 2.8 and earlier, when Internet Explorer 7 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via unspe…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-7177

config/filter.d/cyrus-imap.conf in the cyrus-imap filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2013-7176

config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an im…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2013-4043

The server in IBM SPSS Collaboration and Deployment Services 4.x before 4.2.1.3 IF3, 5.x before 5.0 FP3, and 6.x before 6.0 IF1 allows remote attackers to read arbitrary files via an unspecified HTTP…

CVSS: 5.0 CWE: CWE-200
Read more
2014-01-31
High

CVE-2014-0001

Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2013-6143

The Schneider Electric Telvent SAGE 3030 RTU with firmware C3413-500-001D3_P4 and C3413-500-001F0_PB allows remote attackers to cause a denial of service (temporary outage and CPU consumption) via ma…

CVSS: 5.0 CWE: CWE-20
Read more
High

CVE-2014-1204

SQL injection vulnerability in Tableau Server 8.0.x before 8.0.7 and 8.1.x before 8.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2013-6235

Multiple cross-site scripting (XSS) vulnerabilities in JAMon (Java Application Monitor) 2.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) listenertype or (2) c…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2013-4979

Buffer overflow in the gldll32.dll module in EPS Viewer 3.2 and earlier allows remote attackers to execute arbitrary code via a crafted EPS file.

CVSS: 9.3 CWE: CWE-119
Read more
Low

CVE-2013-4383

Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject…

CVSS: 2.1 CWE: CWE-79
Read more
2014-01-30
Medium

CVE-2014-1610

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metac…

CVSS: 6.0 CWE: CWE-20
Read more
Medium

CVE-2013-7303

Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-1837

Cross-site scripting (XSS) vulnerability in the StackIdeas Komento (com_komento) component before 1.7.4 for Joomla! allows remote attackers to inject arbitrary web script or HTML via vectors related…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-1612

Cross-site scripting (XSS) vulnerability in login.esp in the Web Management Interface in Media5 Mediatrix 4402 VoIP Gateway with firmware Dgw 1.1.13.186 and earlier allows remote attackers to inject…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-1611

Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-0793

Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas Komento (com_komento) component before 1.7.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2013-7246

Buffer overflow in the IconCreate method in an ActiveX control in the DaumGame ActiveX plugin 1.1.0.4 and 1.1.0.5 allows remote attackers to execute arbitrary code via a long string, as exploited in…

CVSS: 9.3 CWE: CWE-119
Read more
Medium

CVE-2013-3090

Multiple cross-site scripting (XSS) vulnerabilities in Belkin N300 router allow remote attackers to inject arbitrary web script or HTML via the Guest Access PSK field to wireless_guest2_print.stm or…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-3087

Multiple cross-site scripting (XSS) vulnerabilities in Belkin N900 router allow remote attackers to inject arbitrary web script or HTML via the (1) ssid2 parameter to wl_channel.html or (2) guest_psk…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-3084

Multiple cross-site scripting (XSS) vulnerabilities in Belkin Model F5D8236-4 v2 router allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2013-1376

Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability…

CVSS: 10.0 CWE: CWE-119
Read more
Low

CVE-2013-0177

Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x all…

CVSS: 3.5 CWE: CWE-79
Read more
High

CVE-2012-3000

Multiple SQL injection vulnerabilities in sam/admin/reports/php/saveSettings.php in the (1) APM WebGUI in F5 BIG-IP LTM, GTM, ASM, Link Controller, PSM, APM, Edge Gateway, and Analytics and (2) AVR W…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2014-0836

Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM 7.2 MR1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-0835

Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM 7.2 MR1 and earlier allows remote attackers to hijack the authentication of administrators for requests that modify console…

CVSS: 6.8 CWE: CWE-352
Read more
2014-01-29
Medium

CVE-2014-1683

The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary…

CVSS: 6.8 CWE: CWE-134
Read more
Medium

CVE-2013-7318

Cross-site scripting (XSS) vulnerability in BusinessFlow/login in AlgoSec Firewall Analyzer 6.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-5092

Cross-site scripting (XSS) vulnerability in afa/php/Login.php in AlgoSec Firewall Analyzer 6.1-b86 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-5005

Multiple cross-site scripting (XSS) vulnerabilities in ajaxRequest/methodCall.do in Tripwire Enterprise 8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) m_tar…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-4889

Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2013-4888

Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2013-4887

SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2013-4662

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to…

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2014-0681

Cross-site scripting (XSS) vulnerability in Cisco Identity Services Engine (ISE) 1.2 patch 2 and earlier allows remote attackers to inject arbitrary web script or HTML via a report containing a craft…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-0680

Cross-site scripting (XSS) vulnerability in the HTTP control interface in the NAC Web Agent component in Cisco Identity Services Engine (ISE) allows remote attackers to inject arbitrary web script or…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-1692

The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attack…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2013-6931

SQL injection vulnerability in the API in Cybozu Garoon 3.7.x before 3.7.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than…

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2013-6930

SQL injection vulnerability in the page-navigation implementation in Cybozu Garoon 2.0.0 through 2.0.6, 2.1.0 through 2.1.3, 2.5.0 through 2.5.4, 3.0.0 through 3.0.3, 3.5.0 through 3.5.5, and 3.7.x b…

CVSS: 6.5 CWE: CWE-89
Read more
High

CVE-2013-6749

Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr for Domino 8.5.1 before 8.5.1.42-001b allows remote attackers to execute arbitrary code via a crafted HTML document, a different…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2013-6748

Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr for Domino 8.5.1 before 8.5.1.42-001b allows remote attackers to execute arbitrary code via a crafted HTML document, a different…

CVSS: 7.5 CWE: CWE-119
Read more
2014-01-28
Medium

CVE-2013-5094

Cross-site scripting (XSS) vulnerability in index.exp in McAfee Vulnerability Manager 7.5 allows remote attackers to inject arbitrary web script or HTML via the cert_cn cookie parameter.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2013-6650

The StoreBuffer::ExemptPopularPages function in store-buffer.cc in Google V8 before 3.22.24.16, as used in Google Chrome before 32.0.1700.102, allows remote attackers to cause a denial of service (me…

CVSS: 7.5 CWE: CWE-20
Read more
Low

CVE-2014-1640

axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite…

CVSS: 3.3 CWE: CWE-59
Read more
Low

CVE-2014-1639

syncevo/installcheck-local.sh in syncevolution before 1.3.99.7 uses mktemp to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows…

CVSS: 3.3 CWE: CWE-59
Read more
Low

CVE-2014-1638

(1) debian/postrm and (2) debian/localepurge.config in localepurge before 0.7.3.2 use tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new fil…

CVSS: 3.3 CWE: CWE-59
Read more
Low

CVE-2014-1624

Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to…

CVSS: 3.3 CWE: CWE-59
Read more
Medium

CVE-2012-5192

Directory traversal vulnerability in gmap/view_overlay.php in Bitweaver 2.8.1 and earlier allows remote attackers to read arbitrary files via "''%2F" (dot dot encoded slash) sequences in the overlay_…

CVSS: 5.0 CWE: CWE-22
Read more
2014-01-27
High

CVE-2013-6747

IBM GSKit 7.x before 7.0.4.48 and 8.x before 8.0.50.16, as used in IBM Security Directory Server (ISDS) and Tivoli Directory Server (TDS), allows remote attackers to cause a denial of service (applic…

CVSS: 7.1 CWE: CWE-20
Read more
2014-01-26
Medium

CVE-2014-1664

The Citrix GoToMeeting application 5.0.799.1238 for Android logs HTTP requests containing sensitive information, which allows attackers to obtain user IDs, meeting details, and authentication tokens…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-1607

Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: thi…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-0794

SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-7299

framework/common/messageheaderparser.cpp in Tntnet before 2.2.1 allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2013-7143

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-7142

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2013-7141

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "<%"…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2013-4304

The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has…

CVSS: 7.5 CWE: CWE-287
Read more
Medium

CVE-2014-0022

The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP pack…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2013-6429

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitra…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-1671

Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress elem…

CVSS: 6.5 CWE: CWE-89
Read more