CVE List - 2014 / January
Showing 401 - 500 of 558 CVEs for January 2014 (Page 5 of 6)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2013-2750 | 2014-01-22 | Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string. |
| CVE-2013-7304 | 2014-01-22 | Check Point Endpoint Security MI Server through R73 3.0.0 HFA2.5 does not configure X.509 certificate validation for client devices, which allows man-in-the-middle attackers to spoof SSL servers by presenting an... |
| CVE-2014-1636 | 2014-01-22 | Multiple SQL injection vulnerabilities in Command School Student Management System 1.06.01 allow remote attackers to execute arbitrary SQL commands via the id parameter in an edit action to (1) admin_school_names.php,... |
| CVE-2014-1637 | 2014-01-22 | Command School Student Management System 1.06.01 does not properly restrict access to sw/backup/backup_ray2.php, which allows remote attackers to download a database backup via a direct request. |
| CVE-2013-7305 | 2014-01-22 | fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to... |
| CVE-2014-0660 | 2014-01-22 | Cisco TelePresence ISDN Gateway with software before 2.2(1.92) allows remote attackers to cause a denial of service (D-channel call outage) via a crafted Q.931 STATUS message, aka Bug ID CSCui50360. |
| CVE-2014-0661 | 2014-01-22 | The System Status Collection Daemon (SSCD) in Cisco TelePresence System 500-37, 1000, 1300-65, and 3xxx before 1.10.2(42), and 500-32, 1300-47, TX1310 65, and TX9xxx before 6.0.4(11), allows remote attackers to... |
| CVE-2014-0662 | 2014-01-22 | The SIP module in Cisco TelePresence Video Communication Server (VCS) before 8.1 allows remote attackers to cause a denial of service (process failure) via a crafted SDP message, aka Bug... |
| CVE-2014-0676 | 2014-01-22 | Cisco NX-OS allows local users to bypass intended TACACS+ command restrictions via a series of multiple commands, aka Bug ID CSCum47367. |
| CVE-2014-0677 | 2014-01-22 | The Label Distribution Protocol (LDP) functionality in Cisco NX-OS allows remote attackers to cause a denial of service (temporary LDP session outage) via LDP discovery traffic containing malformed Hello messages,... |
| CVE-2014-0806 | 2014-01-22 | The Sleipnir Mobile application 2.12.1 and earlier and Sleipnir Mobile Black Edition application 2.12.1 and earlier for Android provide Geolocation API data without verifying user consent, which allows remote attackers... |
| CVE-2014-0807 | 2014-01-22 | data/class/pages/shopping/LC_Page_Shopping_Deliv.php in LOCKON EC-CUBE 2.4.4 and earlier, and 2.11.0 through 2.12.2, allows remote attackers to modify data via unspecified vectors. |
| CVE-2014-0808 | 2014-01-22 | Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected... |
| CVE-2013-6412 | 2014-01-23 | The transform_save function in transform.c in Augeas 1.0.0 through 1.1.0 does not properly calculate the permission values when the umask contains a "7," which causes world-writable permissions to be used... |
| CVE-2013-6447 | 2014-01-23 | Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used... |
| CVE-2013-6448 | 2014-01-23 | The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation... |
| CVE-2013-6443 | 2014-01-23 | CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a... |
| CVE-2014-0006 | 2014-01-23 | The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a... |
| CVE-2014-0979 | 2014-01-23 | The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+ Greeter before 1.7.1 does not properly handle the return value from the lightdm_greeter_get_authentication_user function, which allows local users to cause a denial... |
| CVE-2014-0675 | 2014-01-23 | The Expressway component in Cisco TelePresence Video Communication Server (VCS) uses the same default X.509 certificate across different customers' installations, which makes it easier for remote attackers to conduct man-in-the-middle... |
| CVE-2012-6447 | 2014-01-23 | Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 5.0.0 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2013-7306 | 2014-01-23 | The OSPF implementation on Brocade routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database,... |
| CVE-2013-7307 | 2014-01-23 | The OSPF implementation on the Brocade Vyatta vRouter with software before 6.6R1 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before... |
| CVE-2013-7308 | 2014-01-23 | The OSPF implementation on the D-Link DES-3810-28 switch with firmware R2.20.B017 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing... |
| CVE-2013-7309 | 2014-01-23 | The OSPF implementation in Extreme Networks EXOS does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA... |
| CVE-2013-7310 | 2014-01-23 | The OSPF implementation on Yamaha routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database,... |
| CVE-2013-7311 | 2014-01-23 | The OSPF implementation in Check Point Gaia OS R75.X and R76 and IPSO OS 6.2 R75.X and R76 does not consider the possibility of duplicate Link State ID values in... |
| CVE-2013-7312 | 2014-01-23 | The OSPF implementation on Enterasys switches and routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the... |
| CVE-2013-7313 | 2014-01-23 | The OSPF implementation in Juniper Junos through 13.x, JunosE, and ScreenOS through 6.3.x does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets... |
| CVE-2013-7314 | 2014-01-23 | The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing... |
| CVE-2013-5371 | 2014-01-23 | The client in IBM Tivoli Storage Manager (TSM) 6.3.1 and 6.4.0 on Windows does not preserve permissions of Resilient File System (ReFS) files across backup and restore operations, which allows... |
| CVE-2014-0494 | 2014-01-23 | Adobe Digital Editions 2.0.1 allows attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. |
| CVE-2014-1242 | 2014-01-23 | Apple iTunes before 11.1.4 uses HTTP for the iTunes Tutorials window, which allows man-in-the-middle attackers to spoof content by gaining control over the client-server data stream. |
| CVE-2013-4152 | 2014-01-23 | The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause... |
| CVE-2013-6933 | 2014-01-23 | The parseRTSPRequestString function in Live Networks Live555 Streaming Media 2011.08.13 through 2013.11.25, as used in VideoLAN VLC Media Player, allows remote attackers to cause a denial of service (crash) and... |
| CVE-2013-6934 | 2014-01-23 | The parseRTSPRequestString function in Live Networks Live555 Streaming Media 2013.11.26, as used in VideoLAN VLC Media Player, allows remote attackers to cause a denial of service (crash) and possibly execute... |
| CVE-2013-7048 | 2014-01-23 | OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and... |
| CVE-2013-7315 | 2014-01-23 | The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files,... |
| CVE-2013-5667 | 2014-01-24 | The Thecus NAS server N8800 with firmware 5.03.01 allows remote attackers to execute arbitrary commands via a get_userid action with shell metacharacters in the username parameter. |
| CVE-2013-5668 | 2014-01-24 | The ADS/NT Support page on the Thecus NAS server N8800 with firmware 5.03.01 allows remote attackers to discover the administrator credentials by reading this page's cleartext content. |
| CVE-2013-5669 | 2014-01-24 | The Thecus NAS server N8800 with firmware 5.03.01 uses cleartext credentials for administrative authentication, which allows remote attackers to obtain sensitive information by sniffing the network. |
| CVE-2013-6030 | 2014-01-24 | Directory traversal vulnerability on the Emerson Network Power Avocent MergePoint Unity 2016 (aka MPU2016) KVM switch with firmware 1.9.16473 allows remote attackers to read arbitrary files via unspecified vectors, as... |
| CVE-2013-7175 | 2014-01-24 | Multiple SQL injection vulnerabilities in Avanset Visual CertExam Manager 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) Title, (2) File name, or (3)... |
| CVE-2014-0674 | 2014-01-24 | Cisco Video Surveillance Operations Manager (VSOM) does not require authentication for MySQL database connections, which allows remote attackers to obtain sensitive information, modify data, or cause a denial of service... |
| CVE-2013-5350 | 2014-01-24 | The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which... |
| CVE-2013-7184 | 2014-01-24 | Gretech GOM Media Player 2.2.56.5158 and earlier allows remote attackers to cause a denial of service (memory corruption) via a crafted AVI file. |
| CVE-2013-7316 | 2014-01-24 | Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by... |
| CVE-2014-0809 | 2014-01-24 | Directory traversal vulnerability in the Gapless Player SimZip (aka Simple Zip Viewer) application before 1.2.1 for Android allows remote attackers to overwrite or create arbitrary files via a crafted filename. |
| CVE-2014-1252 | 2014-01-24 | Double free vulnerability in Apple Pages 2.x before 2.1 and 5.x before 5.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a... |
| CVE-2013-7317 | 2014-01-24 | Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf,... |
| CVE-2013-1885 | 2014-01-24 | Multiple cross-site scripting (XSS) vulnerabilities in the token processing system (pki-tps) in Red Hat Certificate System (RHCS) 8.1 and possibly Dogtag Certificate System 9 and 10 allow remote attackers to... |
| CVE-2013-1886 | 2014-01-24 | Format string vulnerability in the token processing system (pki-tps) in Red Hat Certificate System (RHCS) 8.1 and possibly Dogtag Certificate System 9 and 10 allows remote authenticated users to cause... |
| CVE-2013-1853 | 2014-01-24 | Almanah Diary 0.9.0 and 0.10.0 does not encrypt the database when closed, which allows local users to obtain sensitive information by reading the database. |
| CVE-2013-2192 | 2014-01-24 | The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional... |
| CVE-2013-6434 | 2014-01-24 | The remote-viewer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.3, when using a native SPICE client invocation method, initially makes insecure connections to the SPICE server, which allows man-in-the-middle... |
| CVE-2013-6457 | 2014-01-24 | The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free... |
| CVE-2013-6458 | 2014-01-24 | Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows... |
| CVE-2014-0028 | 2014-01-24 | libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and... |
| CVE-2014-1447 | 2014-01-24 | Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is... |
| CVE-2014-1475 | 2014-01-24 | The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. |
| CVE-2014-1476 | 2014-01-24 | The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to... |
| CVE-2014-1202 | 2014-01-25 | The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file. |
| CVE-2014-1670 | 2014-01-25 | The Microsoft Bing application before 4.2.1 for Android allows remote attackers to install arbitrary APK files via vectors involving a crafted DNS response. |
| CVE-2014-0673 | 2014-01-25 | Multiple cross-site scripting (XSS) vulnerabilities in the web interface on Cisco Video Surveillance 5000 HD IP Dome cameras allow remote attackers to inject arbitrary web script or HTML via a... |
| CVE-2014-0678 | 2014-01-25 | The portal interface in Cisco Secure Access Control System (ACS) does not properly manage sessions, which allows remote authenticated users to hijack sessions and gain privileges via unspecified vectors, aka... |
| CVE-2014-0750 | 2014-01-25 | GE Proficy HMI/SCADA Path Traversal |
| CVE-2014-0751 | 2014-01-25 | GE Proficy HMI/SCADA Path Traversal |
| CVE-2013-5364 | 2014-01-26 | Secunia CSI Agent 6.0.0.15017 and earlier, 6.0.1.1007 and earlier, and 7.0.0.21 and earlier, when running on Red Hat Linux, uses world-readable and world-writable permissions for /etc/csia_config.xml, which allows local users... |
| CVE-2013-6853 | 2014-01-26 | Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolbar plugin for FireFox 3.1.0.20130813024103 for Mac, and 2.5.9.2013418100420 for Windows, allows remote attackers to inject arbitrary web script or HTML via... |
| CVE-2013-6891 | 2014-01-26 | lppasswd in CUPS before 1.7.1, when running with setuid privileges, allows local users to read portions of arbitrary files via a modified HOME environment variable and a symlink attack involving... |
| CVE-2013-7137 | 2014-01-26 | The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1. |
| CVE-2013-7247 | 2014-01-26 | cgi-bin/tsaws.cgi in Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 allows remote attackers to discover sensitive information (user names and password hashes) via the cmdWebGetConfiguration... |
| CVE-2013-7248 | 2014-01-26 | Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 has a hardcoded password for the roleDiag account, which allows remote attackers to gain root privileges, as... |
| CVE-2013-7296 | 2014-01-26 | The JBIG2Stream::readSegments method in JBIG2Stream.cc in Poppler before 0.24.5 does not use the correct specifier within a format string, which allows context-dependent attackers to cause a denial of service (segmentation... |
| CVE-2014-0027 | 2014-01-26 | The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. NOTE: some of these details are obtained from third... |
| CVE-2014-1626 | 2014-01-26 | XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via... |
| CVE-2014-1671 | 2014-01-26 | Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a... |
| CVE-2014-1672 | 2014-01-26 | Check Point R75.47 Security Gateway and Management Server does not properly enforce Anti-Spoofing when the routing table is modified and the "Get - Interfaces with Topology" action is performed, which... |
| CVE-2014-1673 | 2014-01-26 | Check Point Session Authentication Agent allows remote attackers to obtain sensitive information (user credentials) via unspecified vectors. |
| CVE-2013-6429 | 2014-01-26 | The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a... |
| CVE-2014-0022 | 2014-01-26 | The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package... |
| CVE-2014-1642 | 2014-01-26 | The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for... |
| CVE-2014-1666 | 2014-01-26 | The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests... |
| CVE-2013-4304 | 2014-01-26 | The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not... |
| CVE-2013-6466 | 2014-01-26 | Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. |
| CVE-2013-6467 | 2014-01-26 | Libreswan 3.7 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. |
| CVE-2013-7140 | 2014-01-26 | XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to... |
| CVE-2013-7141 | 2014-01-26 | Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "<%" tags. |
| CVE-2013-7142 | 2014-01-26 | Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions. |
| CVE-2013-7143 | 2014-01-26 | Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule. |
| CVE-2013-7298 | 2014-01-26 | query_params.cpp in cxxtools before 2.2.1 allows remote attackers to cause a denial of service (infinite recursion and crash) via an HTTP query that contains %% (double percent) characters. |
| CVE-2013-7299 | 2014-01-26 | framework/common/messageheaderparser.cpp in Tntnet before 2.2.1 allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added... |
| CVE-2014-0794 | 2014-01-26 | SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.like action... |
| CVE-2014-1607 | 2014-01-26 | Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue... |
| CVE-2014-1664 | 2014-01-26 | The Citrix GoToMeeting application 5.0.799.1238 for Android logs HTTP requests containing sensitive information, which allows attackers to obtain user IDs, meeting details, and authentication tokens via an application that reads... |
| CVE-2013-6747 | 2014-01-27 | IBM GSKit 7.x before 7.0.4.48 and 8.x before 8.0.50.16, as used in IBM Security Directory Server (ISDS) and Tivoli Directory Server (TDS), allows remote attackers to cause a denial of... |
| CVE-2012-5192 | 2014-01-28 | Directory traversal vulnerability in gmap/view_overlay.php in Bitweaver 2.8.1 and earlier allows remote attackers to read arbitrary files via "''%2F" (dot dot encoded slash) sequences in the overlay_type parameter. |
| CVE-2013-6838 | 2014-01-28 | An unspecified Enghouse Interactive Professional Services "addon product" in Enghouse Interactive IVR Pro (VIP2000) 9.0.3 (rel903), when using OpenVZ and fallback customization, uses the same SSH private key across different... |
| CVE-2013-7135 | 2014-01-28 | The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file. |
| CVE-2014-0647 | 2014-01-28 | The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application... |