CVEMAP.ORG (Common Vulnerabilities and Exposures Map)

Search:
WLB2


First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   
-=< CVEMAP.ORG (Common Vulnerabilities and Exposures Map) CXSEC.ORG >=-
2014-07-28
RSS for product
CVE-2014-5104

 

 
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action to create_account.php, or (4) entry_country_id parameter in an edit action to admin/create_account.php.

 
RSS for product
CVE-2014-5105

 

 
Multiple cross-site scripting (XSS) vulnerabilities in ol-commerce 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) a_country parameter in a process action to affiliate_signup.php or (2) entry_country_id parameter in an edit action to admin/create_account.php.

 
RSS for product
CVE-2014-5106

 

 
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php.

 
RSS for product
CVE-2014-5107

 

 
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permissions/tasks.php, (9) system/permissions/users.php, (10) system/seo/view.php, (11) view.php, (12) users/attributes.php, (13) scrapbook/view.php, (14) pages/attributes.php, (15) files/attributes.php, or (16) files/search.php in single_pages/dashboard/.

 
RSS for product
CVE-2014-5108

 

 
Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.

 
RSS for product
CVE-2014-5109

 

 
SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action.

 
RSS for product
CVE-2014-5110

 

 
Cross-site scripting (XSS) vulnerability in user/help/html/index.php in Fonality trixbox allows remote attackers to inject arbitrary web script or HTML via the id_nodo parameter.

 
RSS for product
CVE-2014-5111

 

 
Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/.

 
RSS for product
CVE-2014-5112

 

 
maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.

 
RSS for product
CVE-2014-5113

 

 
Multiple cross-site scripting (XSS) vulnerabilities in test.php in Visualware MyConnection Server 9.7i allow remote attackers to inject arbitrary web script or HTML via the (1) testtype, (2) ver, (3) cm, (4) map, (5) lines, (6) pps, (7) bpp, (8) codec, (9) provtext, (10) provtextextra, (11) provlink, or (12) duration parameter.

 
RSS for product
CVE-2013-4840

 

 
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

 
RSS for product
CVE-2014-2974

 

 
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

 
RSS for product
CVE-2014-2975

 

 
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

 
RSS for product
CVE-2014-3303

 

 
The web framework in Cisco WebEx Meetings Server does not properly restrict the content of query strings, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81713.

 
RSS for product
CVE-2014-3304

 

 
The OutlookAction Class in Cisco WebEx Meetings Server allows remote attackers to enumerate user accounts by entering crafted URLs and examining the returned messages, aka Bug ID CSCuj81722.

 
RSS for product
CVE-2013-4262

 

 
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-2013-7393.

 
RSS for product
CVE-2013-7393

 

 
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).

 
RSS for product
CVE-2014-3120

 

 
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

 
2014-07-27
RSS for product
CVE-2014-4725

 

 
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

 
RSS for product
CVE-2014-4726

 

 
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

 
2014-07-26
RSS for product
CVE-2014-2363
Morpho
Itemiser 3
 

 
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

 
RSS for product
CVE-2014-3071
IBM
Infosphere information server
 

 
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

 
RSS for product
CVE-2014-3301
Cisco
Webex meetings server
 

 
The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned messages, aka Bug ID CSCuj81700.

 
RSS for product
CVE-2014-3305
Cisco
Webex meetings server
 

 
Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735.

 
RSS for product
CVE-2014-3324
Cisco
Telepresence server software
 

 
Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060.

 
RSS for product
CVE-2014-3326
Cisco
Security manager
 

 
SQL injection vulnerability in the web framework in Cisco Security Manager 4.5 and 4.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCup26957.

 
RSS for product
CVE-2014-3328
Cisco
Unified presence server
 

 
The Intercluster Sync Agent Service in Cisco Unified Presence Server allows remote attackers to cause a denial of service via a TCP SYN flood, aka Bug ID CSCun34125.

 
RSS for product
CVE-2014-4858

 

 
Multiple SQL injection vulnerabilities in CWPLogin.aspx in Sabre AirCentre Crew products 2010.2.12.20008 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field.

 
RSS for product
CVE-2014-4979

 

 
Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom.

 
RSS for product
CVE-2014-2625
HP
Network virtualization
 

 
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

 

First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   

 

Copyright 2014, cvemap.org