CVEMAP.ORG (Common Vulnerabilities and Exposures Map)

Search:
WLB2


First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   
-=< CVEMAP.ORG (Common Vulnerabilities and Exposures Map) CXSEC.ORG >=-
2014-11-25
RSS for product
CVE-2014-1421

 

 
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

 
RSS for product
CVE-2014-7839

 

 
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

 
RSS for product
CVE-2014-8367

 

 
SQL injection vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) 6.2.x, 6.3.x before 6.3.6, and 6.4.x before 6.4.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

 
RSS for product
CVE-2014-8368

 

 
The web interface in Aruba Networks AirWave before 7.7.14 and 8.x before 8.0.5 allows remote authenticated users to gain privileges and execute arbitrary commands via unspecified vectors.

 
RSS for product
CVE-2014-8420

 

 
The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before 7.2 SP2, and SonicWALL UMA before 7.2 SP2 allows remote authenticated users to execute arbitrary code via unspecified vectors.

 
RSS for product
CVE-2014-8558

 

 
JExperts Channel Platform 5.0.33_CCB allows remote authenticated users to bypass access restrictions via crafted action and key parameters.

 
RSS for product
CVE-2014-8678

 

 
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile."

 
RSS for product
CVE-2014-8001

 

 
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

 
RSS for product
CVE-2014-8002

 

 
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

 
RSS for product
CVE-2014-8004

 

 
Cisco IOS XR allows remote attackers to cause a denial of service (LISP process reload) by establishing many LISP TCP sessions, aka Bug ID CSCuq90378.

 
2014-11-24
RSS for product
CVE-2014-7830
Moodle
Moodle
 

 
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter.

 
RSS for product
CVE-2014-7831
Moodle
Moodle
 

 
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

 
RSS for product
CVE-2014-7832
Moodle
Moodle
 

 
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.

 
RSS for product
CVE-2014-7833
Moodle
Moodle
 

 
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

 
RSS for product
CVE-2014-7834
Moodle
Moodle
 

 
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

 
RSS for product
CVE-2014-7835
Moodle
Moodle
 

 
webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.

 
RSS for product
CVE-2014-7836
Moodle
Moodle
 

 
Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request.

 
RSS for product
CVE-2014-7837
Moodle
Moodle
 

 
mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki.

 
RSS for product
CVE-2014-7838
Moodle
Moodle
 

 
Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php.

 
RSS for product
CVE-2014-7845
Moodle
Moodle
 

 
The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.

 
RSS for product
CVE-2014-7846
Moodle
Moodle
 

 
tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.

 
RSS for product
CVE-2014-7847
Moodle
Moodle
 

 
iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address.

 
RSS for product
CVE-2014-7848
Moodle
Moodle
 

 
lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

 
RSS for product
CVE-2014-9059
Moodle
Moodle
 

 
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.

 
RSS for product
CVE-2014-9060
Moodle
Moodle
 

 
The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.

 
RSS for product
CVE-2010-5312
Jqueryui
Jquery ui
 

 
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

 
RSS for product
CVE-2012-6662
Jqueryui
Jquery ui
 

 
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

 
RSS for product
CVE-2014-1424
Ubuntu
Apparmor
 

 
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

 
RSS for product
CVE-2014-7817
GNU
Glibc
 

 
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

 
RSS for product
CVE-2014-7821
Openstack
Neutron
 

 
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

 

First page   01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29   Next
   

 

Copyright 2014, cvemap.org