CVEMAP.ORG (Common Vulnerabilities and Exposures Map)

Search:
WLB2


First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   
-=< CVEMAP.ORG (Common Vulnerabilities and Exposures Map) CXSEC.ORG >=-
2014-12-17
RSS for product
CVE-2014-8133
Linux
Linux kernel
 

 
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.

 
RSS for product
CVE-2014-9322
Linux
Linux kernel
 

 
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.

 
RSS for product
CVE-2014-7285

 

 
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

 
RSS for product
CVE-2014-7880

 

 
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

 
RSS for product
CVE-2014-5437

 

 
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php, (2) add a port forwarding rule via a request to port_forwarding_add.php, (3) change the wireless network to open via a request to wireless_network_configuration_edit.php, or (4) conduct cross-site scripting (XSS) attacks via the keyword parameter to managed_sites_add_keyword.php.

 
RSS for product
CVE-2014-5438

 

 
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

 
RSS for product
CVE-2014-9253

 

 
The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to lib/exe/fetch.php.

 
RSS for product
CVE-2013-7402

 

 
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

 
RSS for product
CVE-2014-7170

 

 
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

 
RSS for product
CVE-2014-8116

 

 
The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.

 
RSS for product
CVE-2014-8117

 

 
softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.

 
RSS for product
CVE-2014-8553

 

 
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.

 
RSS for product
CVE-2014-9387

 

 
SAP BussinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.

 
RSS for product
CVE-2014-9388

 

 
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.

 
2014-12-16
RSS for product
CVE-2013-6435
RPM
RPM
 

 
Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.

 
RSS for product
CVE-2014-4936
Malwarebytes
Malwarebytes anti-exploit
 

 
The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.

 
RSS for product
CVE-2014-5359
Safenet-inc
Safenet authentication servi...
 

 
Directory traversal vulnerability in SafeNet Authentication Service (SAS) Outlook Web Access Agent (formerly CRYPTOCard) before 1.03.30109 allows remote attackers to read arbitrary files via a .. (dot dot) in the GetFile parameter to owa/owa.

 
RSS for product
CVE-2014-5466
Splunk
Splunk
 

 
Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.7, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

 
RSS for product
CVE-2014-8118
RPM
RPM
 

 
Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow.

 
RSS for product
CVE-2014-8340
Zoneo-soft
Phptraffica
 

 
SQL injection vulnerability in Php/Functions/log_function.php in phpTrafficA 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via a User-Agent HTTP header.

 
RSS for product
CVE-2014-8583
Modwsgi
Mod wsgi
 

 
mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors.

 
RSS for product
CVE-2014-8751
Goywp
Webpress
 

 
Multiple cross-site scripting (XSS) vulnerabilities in goYWP WebPress 13.00.06 allow remote attackers to inject arbitrary web script or HTML via the (1) search_param parameter to search.php or (2) name, (3) address, or (4) comment parameter to forms.php.

 
RSS for product
CVE-2014-8964
PCRE
Perl-compatible regular expr...
 

 
Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

 
RSS for product
CVE-2014-9057
Sixapart
Movabletype
 

 
SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

 
RSS for product
CVE-2014-9323
Firebirdsql
Firebird
 

 
The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status.

 
RSS for product
CVE-2014-9357
Docker
Docker
 

 
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.

 
RSS for product
CVE-2014-9358
Docker
Docker
 

 
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."

 
RSS for product
CVE-2014-9371
Manageengine
Desktop central
 

 
The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.

 
RSS for product
CVE-2014-9372
Manageengine
Password manager pro
 

 
Directory traversal vulnerability in the UploadAccountActivities servlet in ManageEngine Password Manager Pro (PMP) before 7103 allows remote attackers to delete arbitrary files via a .. (dot dot) in a filename.

 
RSS for product
CVE-2014-9373
Manageengine
Netflow analyzer
 

 
Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. (dot dot) in the filename.

 

First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   

 

Copyright 2014, cvemap.org