CVE Daily
← All years

Uncategorized 2014

Page 1/33.

CVEs without a recognized CWE (not present in the CWE map or marked as N/A).

CVSS ≥ 0.0
2014-12-31
High

CVE-2014-9426

The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attacke…

CVSS: 7.3CWE: CWE-17
Read more
High

CVE-2014-9425

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of…

CVSS: 7.5CWE: N/A
Read more
2014-12-30
Medium

CVE-2014-4634

Unquoted Windows search path vulnerability in EMC Replication Manager through 5.5.2 and AppSync before 2.1.0 allows local users to gain privileges via a Trojan horse application with a name composed…

CVSS: 4.6CWE: N/A
Read more
Medium

CVE-2014-4630

EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.6 and RSA BSAFE SSL-J before 6.1.4 do not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotia…

CVSS: 4.3CWE: CWE-310
Read more
2014-12-29
Medium

CVE-2014-2224

Plogger 1.0 RC1 and earlier, when the Lucid theme is used, does not assign new values for certain codes, which makes it easier for remote attackers to bypass the CAPTCHA protection mechanism via a se…

CVSS: 5.0CWE: CWE-254
Read more
Low

CVE-2014-6160

IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attac…

CVSS: 2.1CWE: CWE-264
Read more
High

CVE-2014-9424

Double free vulnerability in the ssl_parse_clienthello_use_srtp_ext function in d1_srtp.c in LibreSSL before 2.1.2 allows remote attackers to cause a denial of service or possibly have unspecified ot…

CVSS: 7.5CWE: N/A
Read more
Medium

CVE-2014-8132

Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet.

CVSS: 5.0CWE: N/A
Read more
2014-12-28
High

CVE-2014-6228

Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (a…

CVSS: 7.5CWE: CWE-189
Read more
Medium

CVE-2014-5386

The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for rem…

CVSS: 5.0CWE: CWE-310
Read more
Medium

CVE-2014-2209

Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypa…

CVSS: 5.0CWE: CWE-264
Read more
Low

CVE-2010-5075

Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5.0 Korean Trial allows local users to cause a denial of service (memory corruption and panic) via a crafted IOCTL_ASWFW_COMM_PIDIN…

CVSS: 2.1CWE: CWE-189
Read more
2014-12-27
Medium

CVE-2013-6919

The default configuration of phpThumb before 1.7.12 has a false value for the disable_debug option, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via the src par…

CVSS: 4.3CWE: N/A
Read more
High

CVE-2013-6227

Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by u…

CVSS: 7.5CWE: N/A
Read more
Medium

CVE-2013-5958

The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a lon…

CVSS: 5.0CWE: CWE-399
Read more
2014-12-26
Medium

CVE-2013-4769

The cloud controller (aka CLC) component in Eucalyptus 3.3.x and 3.4.x before 3.4.2, when the dns.recursive.enabled setting is used, allows remote attackers to cause a denial of service (traffic ampl…

CVSS: 4.3CWE: CWE-19
Read more
High

CVE-2010-2062

Integer underflow in the real_get_rdt_chunk function in real.c, as used in modules/access/rtsp/real.c in VideoLAN VLC media player before 1.0.1 and stream/realrtsp/real.c in MPlayer before r29447, al…

CVSS: 7.5CWE: CWE-189
Read more
Medium

CVE-2010-1443

The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer…

CVSS: 5.0CWE: N/A
Read more
High

CVE-2011-1796

Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to caus…

CVSS: 7.5CWE: N/A
Read more
High

CVE-2011-1795

Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of…

CVSS: 7.5CWE: CWE-189
Read more
High

CVE-2011-1794

Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 a…

CVSS: 7.5CWE: CWE-189
Read more
Medium

CVE-2014-9420

The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service…

CVSS: 4.9CWE: CWE-399
Read more
2014-12-25
High

CVE-2014-7300

GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to ex…

CVSS: 7.2CWE: CWE-399
Read more
2014-12-24
Medium

CVE-2014-9416

Multiple untrusted search path vulnerabilities in Huawei eSpace Desktop before V200R003C00 allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) mfc71en…

CVSS: 4.4CWE: N/A
Read more
Critical

CVE-2014-9222

AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory cor…

CVSS: 10.0CWE: CWE-17
Read more
Medium

CVE-2014-8137

Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a cr…

CVSS: 6.8CWE: N/A
Read more
Medium

CVE-2014-6186

IBM WebSphere Service Registry and Repository (WSRR) 6.3.x before 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x before 7.5.0.3, and 8.0.x before 8.0.0.1 allows remote authenticated users to bypass intended o…

CVSS: 4.0CWE: CWE-264
Read more
Medium

CVE-2014-6181

IBM WebSphere Service Registry and Repository (WSRR) 7.0.x before 7.0.0.5 does not perform access-control checks for contained objects, which allows remote authenticated users to obtain sensitive inf…

CVSS: 4.0CWE: CWE-264
Read more
Medium

CVE-2014-6177

IBM WebSphere Service Registry and Repository (WSRR) 7.0.x before 7.0.0.5 and 7.5.x before 7.5.0.3 does not perform access-control checks for depth-0 retrieve operations, which allows remote authenti…

CVSS: 4.0CWE: CWE-264
Read more
Medium

CVE-2014-6153

The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the…

CVSS: 4.3CWE: CWE-310
Read more
Medium

CVE-2014-3569

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denia…

CVSS: 5.0CWE: N/A
Read more
High

CVE-2014-7999

Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 allow remote authenticated users to install arbitrary firmware by leveraging unspecified HTTP handler access on the local network,…

CVSS: 7.7CWE: CWE-264
Read more
High

CVE-2014-7995

Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 allow physically proximate attackers to obtain shell access by opening a device's case and connecting a cable to a serial port, aka…

CVSS: 7.2CWE: CWE-264
Read more
2014-12-23
Medium

CVE-2014-5214

nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query pa…

CVSS: 4.0CWE: N/A
Read more
Medium

CVE-2014-6122

IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows…

CVSS: 5.5CWE: CWE-264
Read more
2014-12-22
Medium

CVE-2014-8015

The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur6440…

CVSS: 4.0CWE: CWE-264
Read more
2014-12-20
High

CVE-2014-8142

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execu…

CVSS: 7.5CWE: N/A
Read more
Medium

CVE-2014-9296

The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended associ…

CVSS: 5.0CWE: CWE-17
Read more
High

CVE-2014-9294

util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

CVSS: 7.5CWE: N/A
Read more
High

CVE-2014-9293

The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection…

CVSS: 7.5CWE: N/A
Read more
2014-12-19
Medium

CVE-2014-9403

The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel w…

CVSS: 4.0CWE: N/A
Read more
Medium

CVE-2014-9381

Integer signedness error in the dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 allows remote attackers to cause a denial of service (crash) via a crafted password, which triggers a l…

CVSS: 5.0CWE: CWE-189
Read more
High

CVE-2014-9376

Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a denial of service (out-of-bounds write) and possibly execute arbitrary code via a small (1) size variable value in the dissector…

CVSS: 7.5CWE: N/A
Read more
Medium

CVE-2014-9324

The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vector…

CVSS: 6.0CWE: CWE-264
Read more
Medium

CVE-2014-9135

The PackageInstaller module in Huawei P7-L10 smartphones before V100R001C00B136 allows remote attackers to spoof the origin website and bypass the website whitelist protection mechanism via a crafted…

CVSS: 4.3CWE: CWE-264
Read more
Medium

CVE-2014-8875

The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted XML-RPC request, aka an…

CVSS: 5.0CWE: N/A
Read more
Low

CVE-2014-8136

The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denia…

CVSS: 2.1CWE: CWE-264
Read more
Low

CVE-2014-8135

The storageVolUpload function in storage/storage_driver.c in libvirt before 1.2.11 does not check a certain return value, which allows local users to cause a denial of service (NULL pointer dereferen…

CVSS: 2.1CWE: N/A
Read more
Medium

CVE-2014-2716

Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers t…

CVSS: 4.3CWE: CWE-310
Read more
Medium

CVE-2013-4442

Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVSS: 5.0CWE: CWE-310
Read more
Medium

CVE-2013-4440

Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVSS: 5.0CWE: CWE-255
Read more
Medium

CVE-2014-8272

The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote at…

CVSS: 5.0CWE: N/A
Read more
Medium

CVE-2014-8016

The Cisco IronPort Email Security Appliance (ESA) allows remote attackers to cause a denial of service (CPU consumption) via long Subject headers in e-mail messages, aka Bug ID CSCzv93864.

CVSS: 5.0CWE: CWE-399
Read more
Medium

CVE-2014-6193

IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF14 and 8.5.0 before CF04, when the Managed Pages setting is enabled, allows remote authenticated users to write to pages via an XML injection attack.

CVSS: 4.9CWE: N/A
Read more
2014-12-18
Medium

CVE-2014-8901

IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted XML q…

CVSS: 4.0CWE: CWE-399
Read more
Medium

CVE-2014-8890

IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraint…

CVSS: 5.1CWE: CWE-264
Read more
Medium

CVE-2014-8014

Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCub63710.

CVSS: 5.0CWE: CWE-19
Read more
Medium

CVE-2014-6174

IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5.4 allows remote attackers to conduct clickjacking attacks via a crafted web site.

CVSS: 4.3CWE: CWE-254
Read more
Medium

CVE-2014-6166

The Communications Enabled Applications (CEA) service in IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4, and Feature Pack for CEA 1.x before 1.0.0.15, allows remote a…

CVSS: 4.3CWE: N/A
Read more
Medium

CVE-2014-6089

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote authenticated users to cause a denial of service (d…

CVSS: 4.0CWE: CWE-19
Read more
Medium

CVE-2014-6087

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 make it easier for remote attackers to obtain sensitive informat…

CVSS: 5.0CWE: CWE-310
Read more
Medium

CVE-2014-6084

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 make it easier for remote attackers to obtain sensitive informat…

CVSS: 5.0CWE: CWE-310
Read more
Medium

CVE-2014-6082

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote authenticated users to cause a denial of service (a…

CVSS: 4.0CWE: N/A
Read more
Medium

CVE-2014-6076

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a cra…

CVSS: 4.3CWE: CWE-254
Read more
Critical

CVE-2014-9406

ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access…

CVSS: 10.0CWE: CWE-255
Read more
Medium

CVE-2014-8120

The agent in Thermostat before 1.0.6, when using unspecified configurations, allows local users to obtain the JMX management URLs of all local Java virtual machines and gain privileges via unknown ve…

CVSS: 4.4CWE: N/A
Read more
Medium

CVE-2014-8108

The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) v…

CVSS: 5.0CWE: N/A
Read more
Medium

CVE-2014-3580

The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server cra…

CVSS: 5.0CWE: N/A
Read more
2014-12-17
Critical

CVE-2014-9387

SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.

CVSS: 10.0CWE: CWE-264
Read more
Medium

CVE-2014-8117

softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.

CVSS: 5.0CWE: CWE-399
Read more
Medium

CVE-2014-8116

The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid…

CVSS: 5.0CWE: CWE-399
Read more
Medium

CVE-2013-7402

Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVSS: 5.0CWE: N/A
Read more
Medium

CVE-2014-7880

Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

CVSS: 5.0CWE: N/A
Read more
Low

CVE-2014-8133

arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easie…

CVSS: 2.1CWE: CWE-264
Read more
Critical

CVE-2014-4626

EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18, 7.0 before P16, and 7.1 before P09 allows remote authenticated users to gain privileges by (1) placing a command in a dm_job obje…

CVSS: 9.0CWE: CWE-264
Read more
Medium

CVE-2014-4844

The import/export functionality in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 allows remote authenticated users to bypass intended access…

CVSS: 6.5CWE: CWE-264
Read more
2014-12-16
Medium

CVE-2014-6176

IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0, and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 disregard the SSL s…

CVSS: 4.3CWE: CWE-310
Read more
Low

CVE-2014-5354

plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NU…

CVSS: 3.5CWE: N/A
Read more
Critical

CVE-2014-9357

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive ex…

CVSS: 10.0CWE: CWE-264
Read more
Medium

CVE-2014-8583

mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecifie…

CVSS: 6.9CWE: CWE-254
Read more
Critical

CVE-2014-8118

Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflo…

CVSS: 10.0CWE: CWE-189
Read more
2014-12-15
Medium

CVE-2014-9386

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote attackers to hijack sessions by leveraging an unattended workstation, aka ZEN-1269…

CVSS: 6.8CWE: N/A
Read more
Medium

CVE-2014-9251

Zenoss Core through 5 Beta 3 uses a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack on hash values in the d…

CVSS: 5.0CWE: CWE-255
Read more
High

CVE-2014-9249

The default configuration of Zenoss Core before 5 allows remote attackers to read or modify database information by connecting to unspecified open ports, aka ZEN-15408.

CVSS: 7.5CWE: CWE-264
Read more
Medium

CVE-2014-9248

Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain access via a brute-force attack, aka ZEN-15406.

CVSS: 5.0CWE: CWE-255
Read more
Medium

CVE-2014-8967

Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted HTML document in conjunction with a Cascading Style Sheets (CSS) token sequ…

CVSS: 6.8CWE: N/A
Read more
Low

CVE-2014-8610

AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit arbitr…

CVSS: 3.3CWE: CWE-264
Read more
High

CVE-2014-8609

The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers…

CVSS: 7.2CWE: CWE-264
Read more
High

CVE-2014-7911

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the re…

CVSS: 7.2CWE: CWE-264
Read more
Medium

CVE-2014-6259

Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML docu…

CVSS: 5.0CWE: CWE-399
Read more
Medium

CVE-2014-6258

An unspecified endpoint in Zenoss Core through 5 Beta 3 allows remote attackers to cause a denial of service (CPU consumption) by triggering an arbitrary regular-expression match attempt, aka ZEN-154…

CVSS: 5.0CWE: CWE-399
Read more
Medium

CVE-2014-6257

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions by using a web-endpoint URL to invoke an object helper method, aka ZEN-15407.

CVSS: 5.0CWE: CWE-264
Read more
High

CVE-2014-6256

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions and place files in a directory with public (1) read or (2) execute access via a move action, aka ZEN-15386.

CVSS: 7.5CWE: CWE-264
Read more
Medium

CVE-2014-6255

Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the came_from paramet…

CVSS: 6.4CWE: N/A
Read more
Medium

CVE-2014-6053

The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier does not properly handle attempts to send a large amount of ClientCutText data, which allows r…

CVSS: 5.0CWE: CWE-19
Read more
High

CVE-2014-1569

The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 lengt…

CVSS: 7.5CWE: N/A
Read more
2014-12-12
Low

CVE-2014-8134

The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to…

CVSS: 3.3CWE: N/A
Read more
Medium

CVE-2014-2516

Open redirect vulnerability in EMC RSA Authentication Manager 8.x before 8.1 Patch 6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vect…

CVSS: 5.8CWE: N/A
Read more
Medium

CVE-2014-9374

Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, and 13.x before 13.0.2 and Certified Asterisk 11.6 befor…

CVSS: 5.0CWE: N/A
Read more
Medium

CVE-2014-8608

The K7Sentry.sys kernel mode driver (aka K7AV Sentry Device Driver) before 12.8.0.119, as used in multiple K7 Computing products, allows local users to cause a denial of service (NULL pointer derefer…

CVSS: 4.9CWE: N/A
Read more
Medium

CVE-2014-8489

Open redirect vulnerability in startSSO.ping in the SP Endpoints in Ping Identity PingFederate 6.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via…

CVSS: 6.4CWE: N/A
Read more
Medium

CVE-2014-6408

Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.

CVSS: 5.0CWE: CWE-264
Read more
Medium

CVE-2013-4399

The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, when ACLs are used, does not set an identity, which causes event handler removal to be denied and remote attackers to cau…

CVSS: 4.3CWE: N/A
Read more
Medium

CVE-2014-9365

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check…

CVSS: 5.8CWE: N/A
Read more
Medium

CVE-2014-8270

BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset.

CVSS: 5.0CWE: CWE-264
Read more
Medium

CVE-2014-6316

core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a craf…

CVSS: 5.8CWE: N/A
Read more
Medium

CVE-2014-7250

The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly 2.0, and OpenBSD possibly 3.6, does not properly implement the session timer, which allows remote attackers to cause a denial of…

CVSS: 5.0CWE: CWE-399
Read more
Medium

CVE-2014-4815

Session fixation vulnerability in IBM Rational Lifecycle Integration Adapter for Windchill 1.x before 1.0.1 allows remote attackers to hijack web sessions via unspecified vectors.

CVSS: 4.3CWE: N/A
Read more
2014-12-11
Critical

CVE-2014-8373

The VMware Remote Console (VMRC) function in VMware vCloud Automation Center (vCAC) 6.0.1 through 6.1.1 allows remote authenticated users to gain privileges via vectors involving the "Connect (by) Us…

CVSS: 9.0CWE: CWE-264
Read more
Low

CVE-2014-1595

Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, wh…

CVSS: 2.1CWE: CWE-199
Read more
Medium

CVE-2014-1592

Use-after-free vulnerability in the nsHtml5TreeOperation function in xul.dll in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows re…

CVSS: 6.8CWE: N/A
Read more
Medium

CVE-2014-1591

Mozilla Firefox 33.0 and SeaMonkey before 2.31 include path strings in CSP violation reports, which allows remote attackers to obtain sensitive information via a web site that receives a report after…

CVSS: 4.3CWE: CWE-199
Read more
Medium

CVE-2014-1588

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and applicat…

CVSS: 6.8CWE: N/A
Read more
Medium

CVE-2014-8602

iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite numbe…

CVSS: 4.3CWE: CWE-399
Read more
High

CVE-2014-8500

ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and nam…

CVSS: 7.8CWE: CWE-399
Read more
Critical

CVE-2014-6364

Use-after-free vulnerability in Microsoft Office 2007 SP3; 2010 SP2; 2013 Gold, SP1, and SP2; and 2013 RT Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document,…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2014-6363

vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 6 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (mem…

CVSS: 9.3CWE: CWE-399
Read more
Critical

CVE-2014-6357

Use-after-free vulnerability in Microsoft Office 2010 SP2, Office 2013 Gold and SP1, Office 2013 RT Gold and SP1, Office for Mac 2011, Word Viewer, Office Compatibility Pack SP3, Word Automation Serv…

CVSS: 9.3CWE: N/A
Read more
2014-12-10
Medium

CVE-2014-9166

Adobe ColdFusion 10 before Update 15 and 11 before Update 3 allows attackers to cause a denial of service (resource consumption) via unspecified vectors.

CVSS: 5.0CWE: N/A
Read more
Critical

CVE-2014-9165

Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a differen…

CVSS: 10.0CWE: N/A
Read more
>