CVEMAP.ORG (Common Vulnerabilities and Exposures Map)

Search:
WLB2


First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   
-=< CVEMAP.ORG (Common Vulnerabilities and Exposures Map) CXSEC.ORG >=-
2014-10-22
RSS for product
CVE-2014-4448
Apple
Iphone os
 

 
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

 
RSS for product
CVE-2014-4449
Apple
Iphone os
 

 
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4450
Apple
Iphone os
 

 
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.

 
RSS for product
CVE-2013-7407
Drupal
Mrbs module
 

 
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

 
RSS for product
CVE-2014-3675

 

 
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

 
RSS for product
CVE-2014-3676

 

 
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

 
RSS for product
CVE-2014-3677

 

 
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

 
RSS for product
CVE-2014-6352

 

 
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.

 
RSS for product
CVE-2014-6387

 

 
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.

 
RSS for product
CVE-2014-7182

 

 
Multiple cross-site scripting (XSS) vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the poly_id parameter in an (1) edit_poly, (2) edit_polyline, or (3) edit_marker action in the wp-google-maps-menu page to wp-admin/admin.php.

 
RSS for product
CVE-2014-7183
Litecart
Litecart
 

 
Multiple cross-site scripting (XSS) vulnerabilities in the search.php in LiteCart 1.1.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) query parameter or (2) QUERY_STRING.

 
RSS for product
CVE-2014-7968

 

 
VDSM allows remote attackers to cause a denial of service (connection blocking) by keeping an SSL connection open.

 
RSS for product
CVE-2014-8088

 

 
The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

 
RSS for product
CVE-2014-8325

 

 
The Calendar Base (cal) extension before 1.5.9 and 1.6.x before 1.6.1 for TYPO3 allows remote attackers to cause a denial of service (resource consumption) via vectors related to the PHP PCRE library.

 
RSS for product
CVE-2014-8381
Megapolis
Megapolis.portal manager
 

 
Multiple cross-site scripting (XSS) vulnerabilities in Megapolis.Portal Manager allow remote attackers to inject arbitrary web script or HTML via the (1) dateFrom or (2) dateTo parameter.

 
RSS for product
CVE-2014-8761

 

 
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.

 
RSS for product
CVE-2014-8762

 

 
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.

 
RSS for product
CVE-2014-8763

 

 
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.

 
RSS for product
CVE-2014-8764

 

 
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.

 
RSS for product
CVE-2014-3828

 

 
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.

 
RSS for product
CVE-2014-3829

 

 
displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) session_id or (2) template_id parameter, related to the command_line variable.

 
RSS for product
CVE-2014-4766

 

 
IBM Sametime Classic Meeting Server 8.0.x and 8.5.x allows remote attackers to obtain sensitive information by reading an exported Record and Playback (RAP) file.

 
2014-10-21
RSS for product
CVE-2014-4884

 

 
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4885

 

 
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4887

 

 
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4888

 

 
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4889

 

 
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4890

 

 
The Nano Digest (aka com.magzter.nanodigest) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4891

 

 
The CT iHub (aka com.concursive.ctihub) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 
RSS for product
CVE-2014-4892

 

 
The uControl Smart Home Automation (aka de.ucontrol) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

 

First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   

 

Copyright 2014, cvemap.org