| |
CVE # |
CVE Description |
SAINT® Tutorial |
SAINT® Vuln. ID |
SANS Top 20 |
 |
CVE-2014-0001 |
Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-0009 |
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0010 |
Multiple cross-site request forgery (CSRF) vulnerabilities in user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow remote attackers to hijack the authentication of administrators for requests that delete (1) categories or (2) fields. |
Moodle vulnerabilities
|
misc_moodlever |
|
 |
CVE-2014-0015 |
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-0020 |
The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message. |
Gaim vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gaim |
|
 |
CVE-2014-0021 |
Chrony before 1.29.1 has traffic amplification in cmdmon protocol |
Chrony vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_chronyver |
|
|
CVE-2014-0028 |
libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny functions in the event registration API. |
libvirt vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libvirtver |
|
|
CVE-2014-0032 |
The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command. |
Apache Subversion vulnerabilities
|
web_mod_apachesvnver |
|
|
CVE-2014-0033 |
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL. |
IBM Rational AppScan vulnerabilities
Apache Tomcat vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_ibmappscanentver
web_dev_tomcatver |
|
|
CVE-2014-0038 |
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0049 |
Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0050 |
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. |
Apache Tomcat vulnerabilities
WebSphere vulnerabilities
Lotus Domino HTTP vulnerability
Lotus Sametime vulnerabilities
HP SiteScope vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver
web_dev_webspherever
web_server_lotus_domino
web_server_lotus_sametimecliver
web_server_sitescopever |
|
|
CVE-2014-0055 |
The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0060 |
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version
web_tool_puppetentver |
|
|
CVE-2014-0061 |
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version |
|
|
CVE-2014-0062 |
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version |
|
|
CVE-2014-0063 |
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version |
|
|
CVE-2014-0064 |
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version |
|
|
CVE-2014-0065 |
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version |
|
|
CVE-2014-0066 |
The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version |
|
|
CVE-2014-0067 |
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster. |
Apple OS X Server vulnerabilities
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_server_version
misc_macosx_version |
|
|
CVE-2014-0069 |
The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0075 |
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. |
Apache Tomcat vulnerabilities
Novell iManager vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver
web_server_novell_imanagerver |
|
|
CVE-2014-0076 |
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. |
VMWare ESX vulnerabilities
MacOSX vulnerabilities
OpenSSL vulnerabilities
Oracle VirtualBox vulnerabilities
VMware vulnerabilities
Cisco AnyConnect VPN Client vulnerabilities
Cisco voice products
IBM HTTP Server vulnerabilities
WebSphere MQ vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is recommended to improve the accuracy of this check |
misc_esxbuild
misc_macosx_version
misc_openssl
misc_oraclevirtualboxver
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_cisco_anyconnectcliver
net_cisco_cucmver
web_dev_ibmhttpserver
web_dev_ibmwebspheremq
web_tool_epolicyver |
|
|
CVE-2014-0077 |
drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0080 |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. |
Ruby on Rails vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_rubyonrails |
|
|
CVE-2014-0081 |
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. |
Ruby on Rails vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_rubyonrails |
|
|
CVE-2014-0082 |
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. |
Ruby on Rails vulnerabilities
Puppet vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_rubyonrails
web_tool_puppetentver |
|
|
CVE-2014-0092 |
lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. |
GnuTLS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnutls |
|
|
CVE-2014-0095 |
java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing. |
Apache Tomcat vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver |
|
|
CVE-2014-0096 |
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Apache Tomcat vulnerabilities
Novell iManager vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver
web_server_novell_imanagerver |
|
|
CVE-2014-0098 |
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. |
Oracle vulnerabilities
MacOSX vulnerabilities
IBM HTTP Server vulnerabilities
WebSphere vulnerabilities
Apache vulnerabilities
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver
misc_macosx_version
web_dev_ibmhttpserver
web_dev_webspherever
web_server_apache_version
web_tool_puppetentver |
|
|
CVE-2014-0099 |
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. |
Apache Tomcat vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver |
|
|
CVE-2014-0100 |
Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0101 |
The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0102 |
The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0106 |
Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-0107 |
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. |
WebLogic vulnerabilities
HP SiteScope vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic
web_server_sitescopever |
|
|
CVE-2014-0114 |
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. |
WebLogic vulnerabilities
WebSphere vulnerabilities
HP SiteScope vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic
web_dev_webspherever
web_server_sitescopever |
|
|
CVE-2014-0117 |
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header. |
Oracle vulnerabilities
MacOSX vulnerabilities
Apache vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver
misc_macosx_version
web_server_apache_version |
|
|
CVE-2014-0118 |
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. |
Oracle vulnerabilities
MacOSX vulnerabilities
IBM HTTP Server vulnerabilities
Apache vulnerabilities
HP SMH vulnerabilities
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver
misc_macosx_version
web_dev_ibmhttpserver
web_server_apache_version
web_tool_hpsmh
web_tool_puppetentver |
|
|
CVE-2014-0119 |
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. |
Apache Tomcat vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver |
|
|
CVE-2014-0122 |
mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly check for the mod/chat:chat capability during chat sessions, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by remaining in a chat session after an intra-session capability removal by an administrator. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0123 |
The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly restrict (1) view and (2) edit access, which allows remote authenticated users to perform wiki operations by leveraging the student role and using the Recent Activity block to reach the individual wiki of an arbitrary student. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0124 |
The identity-reporting implementations in mod/forum/renderer.php and mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 do not properly restrict the display of e-mail addresses, which allows remote authenticated users to obtain sensitive information by using the (1) Forum or (2) Quiz module. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0125 |
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0126 |
Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that import an IMS Enterprise file. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0127 |
The time-validation implementation in (1) mod/feedback/complete.php and (2) mod/feedback/complete_guest.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to bypass intended restrictions on starting a Feedback activity by choosing an unavailable time. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0128 |
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management. |
Squid vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid |
|
|
CVE-2014-0129 |
badges/mybadges.php in Moodle 2.5.x before 2.5.5 and 2.6.x before 2.6.2 does not properly track the user to whom a badge was issued, which allows remote authenticated users to modify the visibility of an arbitrary badge via unspecified vectors. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0130 |
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request. |
Ruby on Rails vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_rubyonrails |
|
|
CVE-2014-0131 |
Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0132 |
The SASL authentication functionality in 389 Directory Server before 1.2.11.26 allows remote authenticated users to connect as an arbitrary user and gain privileges via the authzid parameter in a SASL/GSSAPI bind. |
Red Hat Directory Server vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_389directoryver |
|
|
CVE-2014-0139 |
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. |
Cisco FireSIGHT vulnerabilities
|
web_prog_firesightver |
|
|
CVE-2014-0155 |
The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0160 |
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. |
MySQL Connector C vulnerabilities
MySQL Connector ODBC vulnerabilities
MySQL vulnerabilities
PostgreSQL vulnerabilities
Cerberus FTP Server
FileZilla server vulnerabilities
Symantec vulnerabilities
Trend Micro OfficeScan
VMWare ESX vulnerabilities
OpenOffice vulnerabilities
HP Mercury LoadRunner vulnerabilities
OpenSSL vulnerabilities
Python vulnerabilities
Splunk vulnerabilities
TLS heartbleed vulnerability
VMware vulnerabilities
OpenVPN Access Server vulnerabilities
WinSCP vulnerabilities
Opera vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_connectorc
database_mysql_connectorodbc
database_mysql_version
database_pgsql
ftp_cerberusver
ftp_filezilla
misc_av_symantec_sepmver
misc_av_trendmicro_officescantls
misc_esxbuild
misc_libreoffice
misc_mercuryloadrunnerver
misc_openssl
misc_python
misc_splunkver
misc_tls_heartbleed
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_openvpnasver
shell_ssh_winscp
web_client_opera9 |
|
|
CVE-2014-0165 |
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-0166 |
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-0178 |
Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8, when a certain vfs shadow copy configuration is enabled, does not properly initialize the SRV_SNAPSHOT_ARRAY response field, which allows remote authenticated users to obtain potentially sensitive information from process memory via a (1) FSCTL_GET_SHADOW_COPY_DATA or (2) FSCTL_SRV_ENUMERATE_SNAPSHOTS request. |
Samba vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
win_samba |
|
|
CVE-2014-0179 |
libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods. |
libvirt vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libvirtver |
|
|
CVE-2014-0185 |
sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-0191 |
The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document. |
Oracle vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-0195 |
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment. |
MySQL vulnerabilities
Wing FTP vulnerabilities
MacOSX vulnerabilities
OpenSSL vulnerabilities
Oracle VirtualBox vulnerabilities
Cisco AnyConnect VPN Client vulnerabilities
Cisco voice products
Cisco vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_wingftpver
misc_macosx_version
misc_openssl
misc_oraclevirtualboxver
net_cisco_anyconnectcliver
net_cisco_cucmver
net_cisco_ios
web_tool_epolicyver |
|
|
CVE-2014-0196 |
The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. |
Linux Kernel vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel
web_prog_firesightver |
|
|
CVE-2014-0198 |
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition. |
MySQL vulnerabilities
Wing FTP vulnerabilities
VMWare ESX vulnerabilities
OpenSSL vulnerabilities
Oracle VirtualBox vulnerabilities
VMware vulnerabilities
McAfee ePolicy Orchestrator
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_wingftpver
misc_esxbuild
misc_openssl
misc_oraclevirtualboxver
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
web_tool_epolicyver
web_tool_puppetentver |
|
|
CVE-2014-0203 |
The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0205 |
The futex_wait function in kernel/futex.c in the Linux kernel before 2.6.37 does not properly maintain a certain reference count during requeue operations, which allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that triggers a zero count. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0206 |
Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-0207 |
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-0213 |
Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0215 |
The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0216 |
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0217 |
enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0218 |
Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-0221 |
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake. |
MySQL vulnerabilities
Wing FTP vulnerabilities
MacOSX vulnerabilities
OpenSSL vulnerabilities
Oracle VirtualBox vulnerabilities
Cisco AnyConnect VPN Client vulnerabilities
Cisco voice products
Cisco vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_wingftpver
misc_macosx_version
misc_openssl
misc_oraclevirtualboxver
net_cisco_anyconnectcliver
net_cisco_cucmver
net_cisco_ios
web_tool_epolicyver |
|
|
CVE-2014-0224 |
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. |
MySQL Connector C vulnerabilities
MySQL Connector ODBC vulnerabilities
MySQL vulnerabilities
FileZilla server vulnerabilities
Wing FTP vulnerabilities
IMail vulnerabilities
Trend Micro vulnerabilities
IBM Rational ClearQuest vulnerabilities
Novell eDirectory
VMWare ESX vulnerabilities
MacOSX vulnerabilities
OpenSSL vulnerabilities
Oracle VirtualBox vulnerabilities
Python vulnerabilities
Splunk vulnerabilities
VMware vulnerabilities
Cisco AnyConnect VPN Client vulnerabilities
Cisco voice products
Cisco vulnerabilities
March Networks Products Vulnerabilities
WinSCP vulnerabilities
McAfee ePolicy Orchestrator
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_connectorc
database_mysql_connectorodbc
database_mysql_version
ftp_filezilla
ftp_wingftpver
mail_imap_imail
misc_av_trendmicro_imssver
misc_clearquestver
misc_edirectoryver
misc_esxbuild
misc_macosx_version
misc_openssl
misc_opensslccsinject
misc_oraclevirtualboxver
misc_python
misc_splunkver
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_cisco_anyconnectcliver
net_cisco_cucmver
net_cisco_ios
net_marchnvdver
shell_ssh_winscp
web_tool_epolicyver
web_tool_puppetentver |
|
|
CVE-2014-0226 |
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. |
Oracle vulnerabilities
MacOSX vulnerabilities
IBM HTTP Server vulnerabilities
Apache vulnerabilities
HP SMH vulnerabilities
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver
misc_macosx_version
web_dev_ibmhttpserver
web_server_apache_version
web_tool_hpsmh
web_tool_puppetentver |
|
|
CVE-2014-0227 |
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. |
Apache Tomcat vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver |
|
|
CVE-2014-0230 |
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts. |
Apache Tomcat vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver |
|
|
CVE-2014-0231 |
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. |
Oracle vulnerabilities
MacOSX vulnerabilities
IBM HTTP Server vulnerabilities
Apache vulnerabilities
HP SMH vulnerabilities
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver
misc_macosx_version
web_dev_ibmhttpserver
web_server_apache_version
web_tool_hpsmh
web_tool_puppetentver |
|
|
CVE-2014-0232 |
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message. |
Apache OFBiz vulnerabilities
|
web_tool_ofbizver |
|
|
CVE-2014-0237 |
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-0238 |
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-0239 |
The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged response packet that triggers a communication loop, a related issue to CVE-1999-0103. |
Samba vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
win_samba |
|
|
CVE-2014-0244 |
The sys_recvfrom function in nmbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed UDP packet. |
Samba vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
win_samba |
|
|
CVE-2014-0247 |
LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possibly related to doc/docmacromode.cxx. |
OpenOffice vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libreoffice |
|
|
CVE-2014-0251 |
Microsoft Windows SharePoint Services 3.0 SP3; SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1; SharePoint Foundation 2010 SP1 and SP2 and 2013 Gold and SP1; Project Server 2010 SP1 and SP2 and 2013 Gold and SP1; Web Applications 2010 SP1 and SP2; Office Web Apps Server 2013 Gold and SP1; SharePoint Server 2013 Client Components SDK; and SharePoint Designer 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1 allow remote authenticated users to execute arbitrary code via crafted page content, aka "SharePoint Page Content Vulnerability." |
Microsoft Office Web Apps vulnerabilities
Microsoft Office vulnerabilities
Windows updates needed
Note: A valid SNMP read community string is required to detect this vulnerability |
win_patch_officeweb201014022
win_patch_officeweb2013ver
win_patch_projectserver14022
win_patch_sharepoint2007ms14022
win_patch_sharepoint2010ms14022
win_patch_sharepoint2013ms14022
win_patch_sharepointdesigner2007ms14022
win_patch_sharepointdesigner2010ms14022
win_patch_sharepointdesigner2013ms14022 |
|
|
CVE-2014-0253 |
Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine TCP connection states, which allows remote attackers to cause a denial of service (ASP.NET daemon hang) via crafted HTTP requests that trigger persistent resource consumption for a (1) stale or (2) closed connection, as exploited in the wild in February 2014, aka "POST Request DoS Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14009post |
|
|
CVE-2014-0254 |
The IPv6 implementation in Microsoft Windows 8, Windows Server 2012, and Windows RT does not properly validate packets, which allows remote attackers to cause a denial of service (system hang) via crafted ICMPv6 Router Advertisement packets, aka "TCP/IP Version 6 (IPv6) Denial of Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_tcpms14006 |
|
|
CVE-2014-0255 |
Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and R2 allow remote attackers to cause a denial of service (iSCSI service outage) by sending many crafted packets, aka "iSCSI Target Remote Denial of Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_iscsi14028 |
|
|
CVE-2014-0256 |
Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold allow remote attackers to cause a denial of service (iSCSI service outage) by sending many crafted packets, aka "iSCSI Target Remote Denial of Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_iscsi14028 |
|
|
CVE-2014-0257 |
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine whether it is safe to execute a method, which allows remote attackers to execute arbitrary code via (1) a crafted web site or (2) a crafted .NET Framework application that exposes a COM server endpoint, aka "Type Traversal Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14009tt |
|
|
CVE-2014-0258 |
Microsoft Word 2003 SP3 and 2007 SP3, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_word2003
win_patch_word2007
win_patch_word2010
win_patch_word2013
win_patch_wordcompack |
|
|
CVE-2014-0259 |
Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_word2003
win_patch_word2007
win_patch_word2010
win_patch_word2013
win_patch_wordcompack |
|
|
CVE-2014-0260 |
Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office Compatibility Pack SP3; Word Viewer; SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." |
Microsoft Office Web Apps vulnerabilities
Windows updates needed
Microsoft Office vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
win_patch_officeweb201014001
win_patch_officeweb201314001
win_patch_officeweb2013ver
win_patch_sharepoint201014001
win_patch_sharepoint2013wdsrv
win_patch_word2003
win_patch_word2007
win_patch_word2010
win_patch_word2013
win_patch_wordcompack |
|
|
CVE-2014-0261 |
Microsoft Dynamics AX 4.0 SP2, 2009 SP1, 2012, and 2012 R2 allows remote authenticated users to cause a denial of service (instance outage) via crafted data to an Application Object Server (AOS) instance, aka "Query Filter DoS Vulnerability." |
Microsoft Dynamics
Note: Authentication is required to detect this vulnerability |
win_dynamics14004 |
|
|
CVE-2014-0262 |
win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Server 2008 R2 SP1 does not properly consider thread-owned objects during the processing of window handles, which allows local users to gain privileges via a crafted application, aka "Win32k Window Handle Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_kern14003 |
|
|
CVE-2014-0263 |
The Direct2D implementation in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a large 2D geometric figure that is encountered with Internet Explorer, aka "Microsoft Graphics Component Memory Corruption Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14007 |
|
|
CVE-2014-0266 |
The XMLHTTP ActiveX controls in XML Core Services 3.0 in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to bypass the Same Origin Policy via a web page that is visited in Internet Explorer, aka "MSXML Information Disclosure Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_xmlcorever14005 |
|
|
CVE-2014-0267 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0289 and CVE-2014-0290. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-0268 |
Microsoft Internet Explorer 8 through 11 does not properly restrict file installation and registry-key creation, which allows remote attackers to bypass the Mandatory Integrity Control protection mechanism via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0269 |
Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0270 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0273, CVE-2014-0274, and CVE-2014-0288. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-0271 |
The VBScript engine in Microsoft Internet Explorer 6 through 11, and VBScript 5.6 through 5.8, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9
win_patch_vbscriptms14011 |
|
|
CVE-2014-0272 |
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0273 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0270, CVE-2014-0274, and CVE-2014-0288. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-0274 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0270, CVE-2014-0273, and CVE-2014-0288. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-0275 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0285 and CVE-2014-0286. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0276 |
Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0277 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0278 and CVE-2014-0279. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-0278 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0277 and CVE-2014-0279. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-0279 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0277 and CVE-2014-0278. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-0280 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-0281 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0287. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0282 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0283 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-0284 |
Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v9 |
|
|
CVE-2014-0285 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0275 and CVE-2014-0286. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0286 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0275 and CVE-2014-0285. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0287 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0281. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0288 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0270, CVE-2014-0273, and CVE-2014-0274. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-0289 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0267 and CVE-2014-0290. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-0290 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0267 and CVE-2014-0289. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-0293 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-0294 |
Microsoft Forefront Protection 2010 for Exchange Server does not properly parse e-mail content, which might allow remote attackers to execute arbitrary code via a crafted message, aka "RCE Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_forefrontprotection14008 |
|
|
CVE-2014-0295 |
VsaVb7rt.dll in Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in February 2014, aka "VSAVB7RT ASLR Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14009vsa |
|
|
CVE-2014-0296 |
The Remote Desktop Protocol (RDP) implementation in Microsoft Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly encrypt sessions, which makes it easier for man-in-the-middle attackers to obtain sensitive information by sniffing the network or modify session content by sending crafted RDP packets, aka "RDP MAC Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_rdptamper |
|
|
CVE-2014-0297 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0308, CVE-2014-0312, and CVE-2014-0324. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0298 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-0299 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0305 and CVE-2014-0311. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0300 |
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_kern14015
win_patch_ms14015 |
|
|
CVE-2014-0301 |
Double free vulnerability in qedit.dll in DirectShow in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via a crafted JPEG image, aka "DirectShow Memory Corruption Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14013directshow |
|
|
CVE-2014-0302 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0303. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-0303 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0302. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-0304 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-0305 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0299 and CVE-2014-0311. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0306 |
Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0307 |
Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a certain sequence of manipulations of a TextRange element, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-0308 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0297, CVE-2014-0312, and CVE-2014-0324. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0309 |
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0310 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1815. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0311 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0299 and CVE-2014-0305. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0312 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0297, CVE-2014-0308, and CVE-2014-0324. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0313 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0321. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-0314 |
Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v9 |
|
|
CVE-2014-0315 |
Untrusted search path vulnerability in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse cmd.exe file in the current working directory, as demonstrated by a directory that contains a .bat or .cmd file, aka "Windows File Handling Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14019 |
|
|
CVE-2014-0316 |
Memory leak in the Local RPC (LRPC) server implementation in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to cause a denial of service (memory consumption) and bypass the ASLR protection mechanism via a crafted client that sends messages with an invalid data view, aka "LRPC ASLR Bypass Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_lrpcaslrbypassms14047 |
|
|
CVE-2014-0317 |
The Security Account Manager Remote (SAMR) protocol implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2 does not properly determine the user-lockout state, which makes it easier for remote attackers to bypass the account lockout policy and obtain access via a brute-force attack, aka "SAMR Security Feature Bypass Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_adam14016
win_patch_samsrv14016 |
|
|
CVE-2014-0318 |
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly control access to thread-owned objects, which allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_kernelmode14045
win_patch_kernelpool14045 |
|
|
CVE-2014-0319 |
Microsoft Silverlight 5 before 5.1.30214.0 and Silverlight 5 Developer Runtime before 5.1.30214.0 allow attackers to bypass the DEP and ASLR protection mechanisms via unspecified vectors, aka "Silverlight DEP/ASLR Bypass Vulnerability." |
Microsoft Silverlight vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_silverlightmacver
misc_silverlightver |
|
|
CVE-2014-0321 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0313. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-0322 |
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v9 |
|
|
CVE-2014-0323 |
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (system hang) via a crafted application, aka "Win32k Information Disclosure Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_kern14015
win_patch_ms14015 |
|
|
CVE-2014-0324 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0297, CVE-2014-0308, and CVE-2014-0312. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-0325 |
Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site that triggers improper processing of CElement objects, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1751 and CVE-2014-1755. NOTE: MS14-018 originally had a typo of CVE-2014-0235 for this. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-0330 |
Cross-site scripting (XSS) vulnerability in adminui/user_list.php on the Dell KACE K1000 management appliance 5.5.90545 allows remote attackers to inject arbitrary web script or HTML via the LABEL_ID parameter. |
Quest KACE vulnerabilities
|
net_kacesmaver |
|
|
CVE-2014-0333 |
The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero. |
VLC vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_vlc |
|
|
CVE-2014-0339 |
Cross-site scripting (XSS) vulnerability in view.cgi in Webmin before 1.680 allows remote attackers to inject arbitrary web script or HTML via the search parameter. |
Webmin vulnerabilities
|
web_tool_webminver |
|
|
CVE-2014-0368 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to incorrect permission checks when listening on a socket, which allows attackers to escape the sandbox. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0373 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0375 |
Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0403. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0376 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an improper check for "code permissions when creating document builder factories." |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0377 |
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via vectors related to SYS tables. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-0378 |
Unspecified vulnerability in the Spatial component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-0382 |
Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect availability via unknown vectors related to JavaFX. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
mail_client_notesfilever
misc_javawebstart
web_client_javafx
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0384 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0385 |
Unspecified vulnerability in Oracle Java SE 7u45, when installing on OS X, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install. |
Lotus Notes email client vulnerabilities
Java Plugin vulnerability
Cisco FireSIGHT vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_notesfilever
web_client_jre
web_dev_jdk
web_prog_firesightver |
|
|
CVE-2014-0386 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0387 |
Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0393 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0401 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0402 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0403 |
Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0375. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0408 |
Unspecified vulnerability in Oracle Java SE 7u45, when running on OS X, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
mail_client_notesfilever
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0410 |
Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0411 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake. |
Lotus Notes email client vulnerabilities
IBM Rational AppScan vulnerabilities
Tivoli Provisioning Manager Express for Software Distribution vulnerabilities
Java Plugin vulnerability
WebSphere MQ vulnerabilities
Oracle JRockit vulnerabilities
WebSphere vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_ibmappscanentver
misc_tivolipmever
web_client_ibmjre
web_dev_ibmwebspheremq
web_dev_jrockitver
web_dev_webspherever
web_prog_firesightver |
|
|
CVE-2014-0412 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0413 |
Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via vectors related to HTTP Request Handling, a different vulnerability than CVE-2014-0426. |
Oracle Containers for J2EE vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_oc4jver |
|
|
CVE-2014-0414 |
Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via vectors related to HTTP Request Handling. |
Oracle Containers for J2EE vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_oc4jver |
|
|
CVE-2014-0415 |
Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0418, and CVE-2014-0424. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0416 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0417 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX 2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_javafx
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0418 |
Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0424. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
mail_client_notesfilever
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0420 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0422 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to missing package access checks in the Naming / JNDI component, which allows attackers to escape the sandbox. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0423 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
Oracle JRockit vulnerabilities
WebSphere vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver
web_dev_webspherever
web_prog_firesightver |
|
|
CVE-2014-0424 |
Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0418. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0426 |
Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via vectors related to HTTP Request Handling, a different vulnerability than CVE-2014-0413. |
Oracle Containers for J2EE vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_oc4jver |
|
|
CVE-2014-0427 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via vectors related to FTS. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0428 |
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to "insufficient security checks in IIOP streams," which allows attackers to escape the sandbox. |
Lotus Notes email client vulnerabilities
Java Web Start
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_notesfilever
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-0429 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. |
IBM Forms Viewer vulnerability
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Cisco FireSIGHT vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is required to detect this vulnerability |
misc_ibmfmviewer
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver
web_prog_firesightver
web_tool_epolicyver |
|
|
CVE-2014-0430 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0431 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5881. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0432 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0455 and CVE-2014-2402. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0433 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote attackers to affect availability via unknown vectors related to Thread Pooling. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0437 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-0446 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0448 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0449 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via unknown vectors related to Deployment. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0451 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-2412. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0452 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0453 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. |
Java Plugin vulnerability
Oracle JRockit vulnerabilities
WebSphere vulnerabilities
Cisco FireSIGHT vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is recommended to improve the accuracy of this check |
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver
web_dev_webspherever
web_prog_firesightver
web_tool_epolicyver |
|
|
CVE-2014-0454 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. |
IBM Forms Viewer vulnerability
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_ibmfmviewer
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0455 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-2402. |
IBM Forms Viewer vulnerability
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_ibmfmviewer
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0456 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0457 |
Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
IBM Forms Viewer vulnerability
Java Plugin vulnerability
Oracle JRockit vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is required to detect this vulnerability |
misc_ibmfmviewer
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver
web_tool_epolicyver |
|
|
CVE-2014-0458 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0459 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect availability via unknown vectors related to 2D. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0460 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via vectors related to JNDI. |
Java Plugin vulnerability
Oracle JRockit vulnerabilities
WebSphere vulnerabilities
Cisco FireSIGHT vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is recommended to improve the accuracy of this check |
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver
web_dev_webspherever
web_prog_firesightver
web_tool_epolicyver |
|
|
CVE-2014-0461 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
IBM Forms Viewer vulnerability
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_ibmfmviewer
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0463 |
Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0464. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0464 |
Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0463. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-0472 |
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-0473 |
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-0474 |
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-0480 |
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-0481 |
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-0482 |
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-0483 |
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-0491 |
Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12.0.0.38 on Windows and Mac OS X and before 11.2.202.335 on Linux, Adobe AIR before 4.0.0.1390, Adobe AIR SDK before 4.0.0.1390, and Adobe AIR SDK & Compiler before 4.0.0.1390 allow attackers to bypass unspecified protection mechanisms via unknown vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
misc_flashnpapi |
|
|
CVE-2014-0492 |
Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12.0.0.38 on Windows and Mac OS X and before 11.2.202.335 on Linux, Adobe AIR before 4.0.0.1390, Adobe AIR SDK before 4.0.0.1390, and Adobe AIR SDK & Compiler before 4.0.0.1390 allow attackers to defeat the ASLR protection mechanism by leveraging an "address leak." |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
misc_flashnpapi |
|
|
CVE-2014-0493 |
Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0495. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0495 |
Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0493. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0496 |
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0497 |
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0498 |
Stack-based buffer overflow in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows attackers to execute arbitrary code via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0499 |
Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 do not prevent access to address information, which makes it easier for attackers to bypass the ASLR protection mechanism via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0500 |
Adobe Shockwave Player before 12.0.9.149 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0501. |
Shockwave vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_shockwave |
|
|
CVE-2014-0501 |
Adobe Shockwave Player before 12.0.9.149 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0500. |
Shockwave vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_shockwave |
|
|
CVE-2014-0502 |
Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0503 |
Adobe Flash Player before 11.7.700.272 and 11.8.x through 12.0.x before 12.0.0.77 on Windows and OS X, and before 11.2.202.346 on Linux, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0504 |
Adobe Flash Player before 11.7.700.272 and 11.8.x through 12.0.x before 12.0.0.77 on Windows and OS X, and before 11.2.202.346 on Linux, allows attackers to read the clipboard via unspecified vectors. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0505 |
Adobe Shockwave Player before 12.1.0.150 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. |
Shockwave vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_shockwave |
|
|
CVE-2014-0506 |
Use-after-free vulnerability in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows remote attackers to execute arbitrary code, and possibly bypass an Internet Explorer sandbox protection mechanism, via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0507 |
Buffer overflow in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows attackers to execute arbitrary code via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0508 |
Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0509 |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0510 |
Heap-based buffer overflow in Adobe Flash Player 12.0.0.77 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Zeguang Zhao and Liang Chen during a Pwn2Own competition at CanSecWest 2014. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0511 |
Heap-based buffer overflow in Adobe Reader 11.0.06 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0512 |
Adobe Reader 11.0.06 allows attackers to bypass a PDF sandbox protection mechanism via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0515 |
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014. |
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie |
|
|
CVE-2014-0516 |
Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow remote attackers to bypass the Same Origin Policy via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0517 |
Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0518, CVE-2014-0519, and CVE-2014-0520. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0518 |
Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0517, CVE-2014-0519, and CVE-2014-0520. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0519 |
Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0517, CVE-2014-0518, and CVE-2014-0520. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0520 |
Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0517, CVE-2014-0518, and CVE-2014-0519. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0521 |
Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X do not properly implement JavaScript APIs, which allows remote attackers to obtain sensitive information via a crafted PDF document. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0522 |
Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0523, CVE-2014-0524, and CVE-2014-0526. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0523 |
Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0522, CVE-2014-0524, and CVE-2014-0526. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0524 |
Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0522, CVE-2014-0523, and CVE-2014-0526. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0525 |
The API in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X does not prevent access to unmapped memory, which allows attackers to execute arbitrary code via unspecified API calls. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0526 |
Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0522, CVE-2014-0523, and CVE-2014-0524. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0527 |
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0528 |
Double free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0529 |
Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0531 |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0532 and CVE-2014-0533. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0532 |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0531 and CVE-2014-0533. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0533 |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0531 and CVE-2014-0532. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0534 |
Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0535. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0535 |
Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0534. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0536 |
Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0537 |
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0539. |
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie |
|
|
CVE-2014-0538 |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allows attackers to execute arbitrary code via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0539 |
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0537. |
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie |
|
|
CVE-2014-0540 |
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, and CVE-2014-0545. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0541 |
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allow attackers to bypass intended access restrictions via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0542 |
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0540, CVE-2014-0543, CVE-2014-0544, and CVE-2014-0545. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0543 |
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0540, CVE-2014-0542, CVE-2014-0544, and CVE-2014-0545. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0544 |
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, and CVE-2014-0545. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0545 |
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, and CVE-2014-0544. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0546 |
Adobe Reader and Acrobat 10.x before 10.1.11 and 11.x before 11.0.08 on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context, via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0547 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0548 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow remote attackers to bypass the Same Origin Policy via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0549 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0550 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0551 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0552, and CVE-2014-0555. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0552 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and CVE-2014-0555. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0553 |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0554 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to bypass intended access restrictions via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0555 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and CVE-2014-0552. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0556 |
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0559. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0557 |
Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0558 |
Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0564. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-0559 |
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0556. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash |
|
|
CVE-2014-0560 |
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0561 |
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0562 |
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)." |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0563 |
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0564 |
Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0558. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-0565 |
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0566 |
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0565. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0567 |
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0561. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0568 |
The NtSetInformationFile system call hook feature in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows allows attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context, via an NTFS junction attack. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-0569 |
Integer overflow in Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allows attackers to execute arbitrary code via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-0573 |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0588 and CVE-2014-8438. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0574 |
Double free vulnerability in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0576 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0581, CVE-2014-8440, and CVE-2014-8441. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0577 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, and CVE-2014-0590. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0578 |
Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie |
|
|
CVE-2014-0580 |
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows remote attackers to bypass the Same Origin Policy via unspecified vectors. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0581 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0576, CVE-2014-8440, and CVE-2014-8441. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0582 |
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0589. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0583 |
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to complete a transition from Low Integrity to Medium Integrity via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0584 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2014-0577, CVE-2014-0585, CVE-2014-0586, and CVE-2014-0590. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0585 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2014-0577, CVE-2014-0584, CVE-2014-0586, and CVE-2014-0590. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0586 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, and CVE-2014-0590. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0587 |
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-9164. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0588 |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0573 and CVE-2014-8438. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0589 |
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0582. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0590 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, and CVE-2014-0586. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-0591 |
The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature. |
DNS vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
dns_bindver
misc_macosx_server_version |
|
|
CVE-2014-0609 |
Unspecified vulnerability in Novell Open Enterprise Server (OES) 11 SP1 before Scheduled Maintenance Update 9415 and 11 SP2 before Scheduled Maintenance Update 9413 for Linux has unknown impact and attack vectors. |
Novell Open Enterprise Server vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_novelloesver |
|
|
CVE-2014-0653 |
The Identity Firewall (IDFW) functionality in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to trigger authentication-state modifications via a crafted NetBIOS logout probe response, aka Bug ID CSCuj45340. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-0655 |
The Identity Firewall (IDFW) functionality in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to change the user-cache contents via a replay attack involving crafted RADIUS Change of Authorization (CoA) messages, aka Bug ID CSCuj45332. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-0686 |
Cisco Unified Communications Manager (aka Unified CM) 9.1 (2.10000.28) and earlier allows local users to gain privileges by leveraging incorrect file permissions, aka Bug IDs CSCul24917 and CSCul24908. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0723 |
Cross-site scripting (XSS) vulnerability in the IP Manager Assistant (IPMA) interface in Cisco Unified Communications Manager (UCM) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCum05343. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0726 |
SQL injection vulnerability in the IP Manager Assistant (IPMA) interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05326. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0727 |
SQL injection vulnerability in the CallManager Interactive Voice Response (CMIVR) interface in Cisco Unified Communications Manager (UCM) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05318. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0728 |
SQL injection vulnerability in the Java database interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05313. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0729 |
SQL injection vulnerability in the Enterprise Mobility Application (EMApp) interface in Cisco Unified Communications Manager (UCM) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05302. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0732 |
The Real Time Monitoring Tool (RTMT) web application in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read application files via a direct request to a URL, aka Bug ID CSCum46495. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0733 |
The Enterprise License Manager (ELM) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read ELM files via a direct request to a URL, aka Bug ID CSCum46494. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0734 |
SQL injection vulnerability in the Certificate Authority Proxy Function (CAPF) implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum46483. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0735 |
Cross-site scripting (XSS) vulnerability in the IP Manager Assistant (IPMA) interface in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCum46470. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0736 |
Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) page in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make CAR modifications, aka Bug ID CSCum46468. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0740 |
Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) interface in the OS Administration component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of administrators for requests that make administrative changes, aka Bug ID CSCun00701. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0743 |
The Certificate Authority Proxy Function (CAPF) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and modify registered-device information via crafted data, aka Bug ID CSCum95468. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0747 |
The Certificate Authority Proxy Function (CAPF) CLI implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to inject commands via unspecified CAPF programs, aka Bug ID CSCum95493. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-0822 |
The IMAP server in IBM Domino 8.5.x before 8.5.3 FP6 IF1 and 9.0.x before 9.0.1 FP1 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors, aka SPR KLYH9F4S2Z. |
Lotus Domino IMAP vulnerabilities
|
mail_imap_domino |
|
|
CVE-2014-0859 |
The web-server plugin in IBM WebSphere Application Server (WAS) 7.x before 7.0.0.33, 8.x before 8.0.0.9, and 8.5.x before 8.5.5.2, when POST retries are enabled, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-0876 |
Buffer overflow in the Java GUI Configuration Wizard and Preferences Editor in the backup-archive client in IBM Tivoli Storage Manager (TSM) 5.x and 6.x before 6.2.5.2, 6.3.x before 6.3.2, and 6.4.x before 6.4.2 on Windows and OS X allows local users to cause a denial of service (application crash or hang) via unspecified vectors. |
Tivoli Storage Manager
|
misc_tivolicategory_storagever |
|
|
CVE-2014-0878 |
The IBMSecureRandom component in the IBMJCE and IBMSecureRandom cryptographic providers in IBM SDK Java Technology Edition 5.0 before Service Refresh 16 FP6, 6 before Service Refresh 16, 6.0.1 before Service Refresh 8, 7 before Service Refresh 7, and 7R1 before Service Refresh 1 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the random number generator's output. |
IBM Rational AppScan vulnerabilities
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_ibmappscanver
web_dev_webspherever |
|
|
CVE-2014-0891 |
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.2 allows remote attackers to obtain sensitive information by leveraging incorrect request handling by the (1) Proxy or (2) ODR server. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-0892 |
IBM Notes and Domino 8.5.x before 8.5.3 FP6 IF3 and 9.x before 9.0.1 FP1 on 32-bit Linux platforms use incorrect gcc options, which makes it easier for remote attackers to execute arbitrary code by leveraging the absence of the NX protection mechanism and placing crafted x86 code on the stack, aka SPR KLYH9GGS9W. |
Lotus Notes email client vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_notesfilever |
|
|
CVE-2014-0906 |
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not check whether a session cookie is current, which allows remote attackers to conduct user-search actions by leveraging possession of a (1) expired or (2) invalidated cookie. |
Lotus Sametime vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_server_lotus_sametimecliver |
|
|
CVE-2014-0907 |
Multiple untrusted search path vulnerabilities in unspecified (1) setuid and (2) setgid programs in IBM DB2 9.5, 9.7 before FP9a, 9.8, 10.1 before FP3a, and 10.5 before FP3a on Linux and UNIX allow local users to gain root privileges via a Trojan horse library. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-0911 |
inetd in IBM WebSphere MQ 7.1.x before 7.1.0.5 and 7.5.x before 7.5.0.4 allows remote attackers to cause a denial of service (disk or CPU consumption) via unspecified vectors. |
WebSphere MQ vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_ibmwebspheremq |
|
|
CVE-2014-0913 |
Cross-site scripting (XSS) vulnerability in IBM iNotes and Domino 8.5.3 FP6 before IF2 and 9.0.1 before FP1 allows remote attackers to inject arbitrary web script or HTML via an e-mail message, aka SPR BFEY9GXHZE. |
Lotus Domino Web Access vulnerabilities
|
web_server_lotus_inotesver |
|
|
CVE-2014-0963 |
The Reverse Proxy feature in IBM Global Security Kit (aka GSKit) in IBM Security Access Manager (ISAM) for Web 7.0 before 7.0.0-ISS-SAM-IF0006 and 8.0 before 8.0.0.3-ISS-WGA-IF0002 allows remote attackers to cause a denial of service (infinite loop) via crafted SSL messages. |
DB2 vulnerabilities
INFORMIX vulnerabilities
IBM HTTP Server vulnerabilities
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_db2ver
database_informix_idsver
web_dev_ibmhttpserver
web_dev_webspherever |
|
|
CVE-2014-0964 |
IBM WebSphere Application Server (WAS) 6.1.0.0 through 6.1.0.47 and 6.0.2.0 through 6.0.2.43 allows remote attackers to cause a denial of service via crafted TLS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-0965 |
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-0981 |
VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22, 4.0.x before 4.0.24, 4.1.x before 4.1.32, 4.2.x before 4.2.24, and 4.3.x before 4.3.8, when using 3D Acceleration allows local guest OS users to execute arbitrary code on the Chromium server via crafted Chromium network pointer in a (1) CR_MESSAGE_READBACK or (2) CR_MESSAGE_WRITEBACK message to the VBoxSharedCrOpenGL service, which triggers an arbitrary pointer dereference and memory corruption. NOTE: this issue was MERGED with CVE-2014-0982 because it is the same type of vulnerability affecting the same set of versions. All CVE users should reference CVE-2014-0981 instead of CVE-2014-0982. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-0983 |
Multiple array index errors in programs that are automatically generated by VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in Oracle VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when using 3D Acceleration, allow local guest OS users to execute arbitrary code on the Chromium server via certain CR_MESSAGE_OPCODES messages with a crafted index, which are not properly handled by the (1) CR_VERTEXATTRIB4NUBARB_OPCODE to the crServerDispatchVertexAttrib4NubARB function, (2) CR_VERTEXATTRIB1DARB_OPCODE to the crServerDispatchVertexAttrib1dARB function, (3) CR_VERTEXATTRIB1FARB_OPCODE to the crServerDispatchVertexAttrib1fARB function, (4) CR_VERTEXATTRIB1SARB_OPCODE to the crServerDispatchVertexAttrib1sARB function, (5) CR_VERTEXATTRIB2DARB_OPCODE to the crServerDispatchVertexAttrib2dARB function, (6) CR_VERTEXATTRIB2FARB_OPCODE to the crServerDispatchVertexAttrib2fARB function, (7) CR_VERTEXATTRIB2SARB_OPCODE to the crServerDispatchVertexAttrib2sARB function, (8) CR_VERTEXATTRIB3DARB_OPCODE to the crServerDispatchVertexAttrib3dARB function, (9) CR_VERTEXATTRIB3FARB_OPCODE to the crServerDispatchVertexAttrib3fARB function, (10) CR_VERTEXATTRIB3SARB_OPCODE to the crServerDispatchVertexAttrib3sARB function, (11) CR_VERTEXATTRIB4DARB_OPCODE to the crServerDispatchVertexAttrib4dARB function, (12) CR_VERTEXATTRIB4FARB_OPCODE to the crServerDispatchVertexAttrib4fARB function, and (13) CR_VERTEXATTRIB4SARB_OPCODE to the crServerDispatchVertexAttrib4sARB function. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-100027 |
Cross-site scripting (XSS) vulnerability in the WP SlimStat plugin before 3.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
WP Slimstat vulnerabilities
|
web_prog_php_wpslimstat |
|
|
CVE-2014-10386 |
The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections. |
WordPress plugin vulnerabilities
|
web_prog_php_wordpresslivechatsup |
|
|
CVE-2014-1207 |
VMware ESXi 4.0 through 5.1 and ESX 4.0 and 4.1 allow remote attackers to cause a denial of service (NULL pointer dereference) by intercepting and modifying Network File Copy (NFC) traffic. |
VMWare ESX vulnerabilities
|
misc_esxbuild |
|
|
CVE-2014-1208 |
VMware Workstation 9.x before 9.0.1, VMware Player 5.x before 5.0.1, VMware Fusion 5.x before 5.0.1, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1 allow guest OS users to cause a denial of service (VMX process disruption) by using an invalid port. |
VMWare ESX vulnerabilities
|
misc_esxbuild |
|
|
CVE-2014-1222 |
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM. |
vtiger vulnerabilities
|
web_prog_php_vtigerver |
|
|
CVE-2014-1243 |
Apple QuickTime before 7.7.5 does not initialize an unspecified pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted track list in a movie file. |
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_quicktime |
|
|
CVE-2014-1244 |
Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with H.264 encoding. |
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_quicktime |
|
|
CVE-2014-1245 |
Integer signedness error in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted stsz atom in a movie file. |
MacOSX vulnerabilities
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_quicktime |
|
|
CVE-2014-1246 |
Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ftab atom in a movie file. |
MacOSX vulnerabilities
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_quicktime |
|
|
CVE-2014-1247 |
Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted dref atom in a movie file. |
MacOSX vulnerabilities
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_quicktime |
|
|
CVE-2014-1248 |
Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ldat atom in a movie file. |
MacOSX vulnerabilities
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_quicktime |
|
|
CVE-2014-1249 |
Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PSD image. |
MacOSX vulnerabilities
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_quicktime |
|
|
CVE-2014-1250 |
Apple QuickTime before 7.7.5 does not properly perform a byte-swapping operation, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted ttfo element in a movie file. |
MacOSX vulnerabilities
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_quicktime |
|
|
CVE-2014-125002 |
A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is the function dnxhd_init_rc of the file libavcodec/dnxhdenc.c. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125003 |
A vulnerability was found in FFmpeg 2.0 and classified as problematic. This issue affects the function get_siz of the file libavcodec/jpeg2000dec.c. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125004 |
A vulnerability has been found in FFmpeg 2.0 and classified as problematic. This vulnerability affects the function decode_hextile of the file libavcodec/vmnc.c. The manipulation leads to memory corruption. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125005 |
A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_vol_header of the file libavcodec/mpeg4videodec.c. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125006 |
A vulnerability, which was classified as problematic, has been found in FFmpeg 2.0. Affected by this issue is the function output_frame of the file libavcodec/h264.c. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125007 |
A vulnerability classified as problematic was found in FFmpeg 2.0. Affected by this vulnerability is the function intra_pred of the file libavcodec/hevcpred_template.c. The manipulation leads to memory corruption. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125008 |
A vulnerability classified as problematic has been found in FFmpeg 2.0. Affected is the function vorbis_header of the file libavformat/oggparsevorbis.c. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125009 |
A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function add_yblock of the file libavcodec/snow.h. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125010 |
A vulnerability was found in FFmpeg 2.0. It has been rated as critical. Affected by this issue is the function decode_slice_header of the file libavcodec/h64.c. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125011 |
A vulnerability was found in FFmpeg 2.0. It has been declared as problematic. Affected by this vulnerability is the function decode_frame of the file libavcodec/ansi.c. The manipulation leads to integer coercion error. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125012 |
A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is an unknown function of the file libavcodec/dxtroy.c. The manipulation leads to integer coercion error. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125013 |
A vulnerability was found in FFmpeg 2.0 and classified as problematic. This issue affects the function msrle_decode_frame of the file libavcodec/msrle.c. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125014 |
A vulnerability classified as problematic was found in FFmpeg 2.0. Affected by this vulnerability is an unknown functionality of the component HEVC Video Decoder. The manipulation leads to memory corruption. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125015 |
A vulnerability classified as critical has been found in FFmpeg 2.0. Affected is the function read_var_block_data. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125016 |
A vulnerability was found in FFmpeg 2.0. It has been rated as problematic. This issue affects the function ff_init_buffer_info of the file utils.c. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125017 |
A vulnerability classified as critical was found in FFmpeg 2.0. This vulnerability affects the function rpza_decode_stream. The manipulation leads to memory corruption. The attack can be initiated remotely. The name of the patch is Fixes Invalid Writes. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125018 |
A vulnerability, which was classified as problematic, has been found in FFmpeg 2.0. Affected by this issue is the function decode_slice_header. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125019 |
A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_nal_unit of the component Slice Segment Handler. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125020 |
A vulnerability has been found in FFmpeg 2.0 and classified as critical. This vulnerability affects the function decode_update_thread_context. The manipulation leads to memory corruption. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125021 |
A vulnerability was found in FFmpeg 2.0 and classified as problematic. This issue affects the function cmv_process_header. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125022 |
A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is the function shorten_decode_frame of the component Bitstream Buffer. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125023 |
A vulnerability was found in FFmpeg 2.0. It has been declared as problematic. Affected by this vulnerability is the function truemotion1_decode_header of the component Truemotion1 Handler. The manipulation leads to memory corruption. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125024 |
A vulnerability was found in FFmpeg 2.0. It has been rated as critical. Affected by this issue is the function lag_decode_frame. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-125025 |
A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function decode_pulses. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-1251 |
Buffer overflow in Apple QuickTime before 7.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted clef atom in a movie file. |
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_quicktime |
|
|
CVE-2014-1252 |
Double free vulnerability in Apple Pages 2.x before 2.1 and 5.x before 5.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Microsoft Word file. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1254 |
Apple Type Services (ATS) in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Type 1 font that is embedded in a document. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1255 |
Apple Type Services (ATS) in Apple OS X before 10.9.2 does not properly validate calls to the free function, which allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1256 |
Buffer overflow in Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1257 |
CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1258 |
Heap-based buffer overflow in CoreAnimation in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted image. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1259 |
Buffer overflow in File Bookmark in Apple OS X before 10.9.2 allows attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted filename. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1260 |
QuickLook in Apple OS X through 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1261 |
Integer signedness error in CoreText in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Unicode font. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1262 |
Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages that trigger memory corruption. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1263 |
curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1264 |
Finder in Apple OS X before 10.9.2 does not ensure ACL integrity after the viewing of file ACL information, which allows local users to bypass intended access restrictions in opportunistic circumstances via standard filesystem operations on a file with a damaged ACL. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1265 |
The systemsetup program in the Date and Time subsystem in Apple OS X before 10.9.2 allows local users to bypass intended access restrictions by changing the current time on the system clock. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1266 |
The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1267 |
The Configuration Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 does not properly evaluate the expiration date of a mobile configuration profile, which allows attackers to bypass intended access restrictions by using a profile after the date has passed. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1268 |
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1269 and CVE-2014-1270. |
iTunes vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
web_client_safari |
|
|
CVE-2014-1269 |
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1270. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1270 |
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1269. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1271 |
CoreCapture in Apple iOS before 7.1 and Apple TV before 6.1 does not properly validate IOKit API calls, which allows attackers to cause a denial of service (assertion failure and device crash) via a crafted app. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1272 |
CrashHouseKeeping in Crash Reporting in Apple iOS before 7.1 and Apple TV before 6.1 allows local users to change arbitrary file permissions by leveraging a symlink. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1273 |
dyld in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass code-signing requirements by leveraging use of text-relocation instructions in a dynamic library. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1274 |
FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1275 |
Buffer overflow in ImageIO in Apple iOS before 7.1 and Apple TV before 6.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JPEG2000 data in a PDF document. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1276 |
IOKit HID Event in Apple iOS before 7.1 allows attackers to conduct user-action monitoring attacks against arbitrary apps via a crafted app that accesses an IOKit framework interface. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1278 |
The ptmx_get_ioctl function in the ARM kernel in Apple iOS before 7.1 and Apple TV before 6.1 allows local users to gain privileges or cause a denial of service (out-of-bounds memory access and device crash) via a crafted call. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1280 |
Video Driver in Apple iOS before 7.1 and Apple TV before 6.1 allows remote attackers to cause a denial of service (NULL pointer dereference and device hang) via a crafted video file with MPEG-4 encoding. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1281 |
Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the Photos app and looking under a transparent image. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1282 |
The Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass intended configuration-profile visibility requirements via a long name. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1285 |
Springboard in Apple iOS before 7.1 allows physically proximate attackers to bypass intended access restrictions and read the home screen by leveraging an application crash during activation of an unactivated device. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1286 |
SpringBoard Lock Screen in Apple iOS before 7.1 allows remote attackers to cause a denial of service (lock-screen hang) by leveraging a state-management error. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1287 |
USB Host in Apple iOS before 7.1 and Apple TV before 6.1 allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted USB messages. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1289 |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1290 |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1291 |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1292 |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1293, and CVE-2014-1294. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1293 |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1294. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1294 |
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1293. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1295 |
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack." |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1296 |
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1298 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1299 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1300 |
Unspecified vulnerability in Apple Safari 7.0.2 on OS X allows remote attackers to execute arbitrary code with root privileges via unknown vectors, as demonstrated by Google during a Pwn4Fun competition at CanSecWest 2014. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1301 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
web_client_safari |
|
|
CVE-2014-1302 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1303 |
Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Liang Chen during a Pwn2Own competition at CanSecWest 2014. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1304 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1305 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1307 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1308 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1309 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1310 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1311 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1312 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1313 |
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1314 |
WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed application, which allows attackers to bypass the sandbox protection mechanism and execute arbitrary code via a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1315 |
Format string vulnerability in CoreServicesUIAgent in Apple OS X 10.9.x through 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a URL. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1316 |
Heimdal, as used in Apple OS X through 10.9.2, allows remote attackers to cause a denial of service (abort and daemon exit) via ASN.1 data encountered in the Kerberos 5 protocol. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1317 |
iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credentials in the iBooks log, which allows local users to obtain sensitive information by reading this file. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1318 |
The Intel Graphics Driver in Apple OS X through 10.9.2 does not properly validate a certain pointer, which allows attackers to execute arbitrary code via a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1319 |
Buffer overflow in ImageIO in Apple OS X 10.9.x through 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1320 |
IOKit in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 places kernel pointers into an object data structure, which makes it easier for local users to bypass the ASLR protection mechanism by reading unspecified attributes of the object. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1321 |
Power Management in Apple OS X 10.9.x through 10.9.2 allows physically proximate attackers to bypass an intended transition into the locked-screen state by touching (1) a key or (2) the trackpad during a lid-close action. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1322 |
The kernel in Apple OS X through 10.9.2 places a kernel pointer into an XNU object data structure accessible from user space, which makes it easier for local users to bypass the ASLR protection mechanism by reading an unspecified attribute of the object. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1323 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1324 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
web_client_safari |
|
|
CVE-2014-1325 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1326 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1327 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1329 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1330 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1331 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1333 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1334 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1335 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1336 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1337 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1338 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1339 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1340 |
WebKit, as used in Apple Safari before 6.1.5 and 7.x before 7.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1. |
iTunes vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
web_client_safari |
|
|
CVE-2014-1341 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1342 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1343 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1344 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1. |
iTunes vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
web_client_safari |
|
|
CVE-2014-1345 |
WebKit in Apple iOS before 7.1.2 and Apple Safari before 6.1.5 and 7.x before 7.0.5 does not properly encode domain names in URLs, which allows remote attackers to spoof the address bar via a crafted web site. |
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1346 |
WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, does not properly interpret Unicode encoding, which allows remote attackers to spoof a postMessage origin, and bypass intended restrictions on sending a message to a connected frame or window, via crafted characters in a URL. |
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1347 |
Apple iTunes before 11.2.1 on OS X sets world-writable permissions for /Users and /Users/Shared during reboots, which allows local users to modify files, and consequently obtain access to arbitrary user accounts, via standard filesystem operations. |
iTunes vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes |
|
|
CVE-2014-1348 |
Mail in Apple iOS before 7.1.2 advertises the availability of data protection for attachments but stores cleartext attachments under mobile/Library/Mail/, which makes it easier for physically proximate attackers to obtain sensitive information by mounting the data partition. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1349 |
Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an invalid URL. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1350 |
Settings in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended iCloud password requirement, and turn off the Find My iPhone service, by leveraging incorrect state management. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1351 |
Siri in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended lock-screen passcode requirement, and read a contact list, via a Siri request that refers to a contact ambiguously. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1352 |
Lock Screen in Apple iOS before 7.1.2 does not properly enforce the limit on failed passcode attempts, which makes it easier for physically proximate attackers to conduct brute-force passcode-guessing attacks via unspecified vectors. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1353 |
Lock Screen in Apple iOS before 7.1.2 does not properly manage the telephony state in Airplane Mode, which allows physically proximate attackers to bypass the lock protection mechanism, and access a certain foreground application, via unspecified vectors. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1354 |
CoreGraphics in Apple iOS before 7.1.2 does not properly restrict allocation of stack memory for processing of XBM images, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted image data. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1355 |
The IOKit implementation in the kernel in Apple iOS before 7.1.2 and Apple TV before 6.1.2, and in IOReporting in Apple OS X before 10.9.4, allows local users to cause a denial of service (NULL pointer dereference and reboot) via crafted API arguments. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1356 |
Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application that sends IPC messages. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1357 |
Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application that generates log messages. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1358 |
Integer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1359 |
Integer underflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1360 |
Lockdown in Apple iOS before 7.1.2 does not properly verify data from activation servers, which makes it easier for physically proximate attackers to bypass the Activation Lock protection mechanism via unspecified vectors. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-1361 |
Secure Transport in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 does not ensure that a DTLS message is accepted only for a DTLS connection, which allows remote attackers to obtain potentially sensitive information from uninitialized process memory by providing a DTLS message within a TLS connection. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-1362 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1363 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1364 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1365 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1366 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1367 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1368 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1369 |
WebKit in Apple Safari before 6.1.5 and 7.x before 7.0.5 allows user-assisted remote attackers to access file: URLs by leveraging a URL drag operation that originates at a crafted web site. |
Safari vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_safari |
|
|
CVE-2014-1370 |
The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted AppleDouble file in a ZIP archive. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1371 |
Array index error in Dock in Apple OS X before 10.9.4 allows attackers to execute arbitrary code or cause a denial of service (incorrect function-pointer dereference and application crash) by leveraging access to a sandboxed application for sending a message. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1372 |
Graphics Driver in Apple OS X before 10.9.4 does not properly restrict read operations during processing of an unspecified system call, which allows local users to obtain sensitive information from kernel memory and bypass the ASLR protection mechanism via a crafted call. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1373 |
Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenGL API call, which allows attackers to execute arbitrary code via a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1375 |
Intel Graphics Driver in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1376 |
Intel Compute in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenCL API call, which allows attackers to execute arbitrary code via a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1377 |
Array index error in IOAcceleratorFamily in Apple OS X before 10.9.4 allows attackers to execute arbitrary code via a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1378 |
IOGraphicsFamily in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1379 |
Graphics Drivers in Apple OS X before 10.9.4 allows attackers to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via a 32-bit executable file for a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1380 |
The Security - Keychain component in Apple OS X before 10.9.4 does not properly implement keystroke observers, which allows physically proximate attackers to bypass the screen-lock protection mechanism, and enter characters into an arbitrary window under the lock window, via keyboard input. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1381 |
Thunderbolt in Apple OS X before 10.9.4 does not properly restrict IOThunderBoltController API calls, which allows attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted call. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1382 |
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1384 |
WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1385 |
WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1386 |
WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367. |
iTunes vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
web_client_safari |
|
|
CVE-2014-1387 |
WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1388 |
WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1389 |
WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-1390 |
WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367. |
iTunes vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
web_client_safari |
|
|
CVE-2014-1391 |
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-1418 |
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-1438 |
The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-1447 |
Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent. |
libvirt vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libvirtver |
|
|
CVE-2014-1475 |
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-1476 |
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-1477 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1478 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the MPostWriteBarrier class in js/src/jit/MIR.h and stack alignment in js/src/jit/AsmJS.cpp in OdinMonkey, and unknown other vectors. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1479 |
The System Only Wrapper (SOW) implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent certain cloning operations, which allows remote attackers to bypass intended restrictions on XUL content via vectors involving XBL content scopes. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1480 |
The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1481 |
Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to bypass intended restrictions on window objects by leveraging inconsistency in native getter methods across different JavaScript engines. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1482 |
RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent access to discarded data, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect write operations) via crafted image data, as demonstrated by Goo Create. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1483 |
Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1485 |
The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1486 |
Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1487 |
The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1488 |
The Web workers implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving termination of a worker process that has performed a cross-thread object-passing operation in conjunction with use of asm.js. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1489 |
Mozilla Firefox before 27.0 does not properly restrict access to about:home buttons by script on other pages, which allows user-assisted remote attackers to cause a denial of service (session restore) via a crafted web site. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1490 |
Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1491 |
Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1492 |
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1493 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1494 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1496 |
Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 might allow local users to gain privileges by modifying the extracted Mar contents during an update. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1497 |
The mozilla::WaveReader::DecodeAudioData function in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive information from process heap memory, cause a denial of service (out-of-bounds read and application crash), or possibly have unspecified other impact via a crafted WAV file. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1498 |
The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not properly validate a certain key type, which allows remote attackers to cause a denial of service (application crash) via vectors that trigger generation of a key that supports the Elliptic Curve ec-dual-use algorithm. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1499 |
Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to spoof the domain name in the WebRTC (1) camera or (2) microphone permission prompt by triggering navigation at a certain time during generation of this prompt. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1500 |
Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (resource consumption and application hang) via onbeforeunload events that trigger background JavaScript execution. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1502 |
The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1504 |
The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1505 |
The SVG filter implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive displacement-correlation information, and possibly bypass the Same Origin Policy and read text from a different domain, via a timing attack involving feDisplacementMap elements, a related issue to CVE-2013-1693. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1508 |
The libxul.so!gfxContext::Polygon function in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive information from process memory, cause a denial of service (out-of-bounds read and application crash), or possibly bypass the Same Origin Policy via vectors involving MathML polygon rendering. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1509 |
Buffer overflow in the _cairo_truetype_index_to_ucs4 function in cairo, as used in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25, allows remote attackers to execute arbitrary code via a crafted extension that renders fonts in a PDF document. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1510 |
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary JavaScript code with chrome privileges by using an IDL fragment to trigger a window.open call. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1511 |
Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remote attackers to bypass the popup blocker via unspecified vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1512 |
Use-after-free vulnerability in the TypeObject class in the JavaScript engine in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary code by triggering extensive memory consumption while garbage collection is occurring, as demonstrated by improper handling of BumpChunk objects. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1513 |
TypedArrayObject.cpp in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 does not prevent a zero-length transition during use of an ArrayBuffer object, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based out-of-bounds write or read) via a crafted web site. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1514 |
vmtypedarrayobject.cpp in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 does not validate the length of the destination array before a copy operation, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) by triggering incorrect use of the TypedArrayObject class. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1517 |
The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue. |
Bugzilla vulnerabilities
|
web_prog_cgi_bugzilla |
|
|
CVE-2014-1518 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1519 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1520 |
maintenservice_installer.exe in the Maintenance Service Installer in Mozilla Firefox before 29.0 and Firefox ESR 24.x before 24.5 on Windows allows local users to gain privileges by placing a Trojan horse DLL file into a temporary directory at an unspecified point in the update process. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1522 |
The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the Web Audio subsystem in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read, memory corruption, and application crash) via crafted content. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1523 |
Heap-based buffer overflow in the read_u32 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG image. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1524 |
The nsXBLProtoImpl::InstallImplementation function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 does not properly check whether objects are XBL objects, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted JavaScript code that accesses a non-XBL object as if it were an XBL object. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1525 |
The mozilla::dom::TextTrack::AddCue function in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 does not properly perform garbage collection for Text Track Manager variables, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and heap memory corruption) via a crafted VIDEO element in an HTML document. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1526 |
The XrayWrapper implementation in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site that is visited in the debugger, leading to unwrapping operations and calls to DOM methods on the unwrapped objects. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1528 |
The sse2_composite_src_x888_8888 function in Pixman, as used in Cairo in Mozilla Firefox 28.0 and SeaMonkey 2.25 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) by painting on a CANVAS element. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1529 |
The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1530 |
The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1531 |
Use-after-free vulnerability in the nsGenericHTMLElement::GetWidthHeightForImage function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving an imgLoader object that is not properly handled during an image-resize operation. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1532 |
Use-after-free vulnerability in the nsHostResolver::ConditionallyRefreshRecord function in libxul.so in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to host resolution. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-1533 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1534 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 30.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1536 |
The PropertyProvider::FindJustificationRange function in Mozilla Firefox before 30.0 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1537 |
Use-after-free vulnerability in the mozilla::dom::workers::WorkerPrivateParent function in Mozilla Firefox before 30.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1538 |
Use-after-free vulnerability in the nsTextEditRules::CreateMozBR function in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1539 |
Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do not ensure visibility of the cursor after interaction with a Flash object and a DIV element, which makes it easier for remote attackers to conduct clickjacking attacks via JavaScript code that produces a fake cursor image. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1540 |
Use-after-free vulnerability in the nsEventListenerManager::CompileEventHandlerInternal function in the Event Listener Manager in Mozilla Firefox before 30.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted web content. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1541 |
Use-after-free vulnerability in the RefreshDriverTimer::TickDriver function in the SMIL Animation Controller in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted web content. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1542 |
Buffer overflow in the Speex resampler in the Web Audio subsystem in Mozilla Firefox before 30.0 allows remote attackers to execute arbitrary code via vectors related to a crafted AudioBuffer channel count and sample rate. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1543 |
Multiple heap-based buffer overflows in the navigator.getGamepads function in the Gamepad API in Mozilla Firefox before 30.0 allow remote attackers to execute arbitrary code by using non-contiguous axes with a (1) physical or (2) virtual Gamepad device. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1544 |
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Pale Moon vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_palemoonver
web_client_waterfox |
|
|
CVE-2014-1546 |
The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set. |
Bugzilla vulnerabilities
|
web_prog_cgi_bugzilla |
|
|
CVE-2014-1547 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1548 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1549 |
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via crafted audio content that is improperly handled during playback buffering. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1550 |
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1551 |
Use-after-free vulnerability in the FontTableRec destructor in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 on Windows allows remote attackers to execute arbitrary code via crafted use of fonts in MathML content, leading to improper handling of a DirectWrite font-face object. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1552 |
Mozilla Firefox before 31.0 and Thunderbird before 31.0 do not properly implement the sandbox attribute of the IFRAME element, which allows remote attackers to bypass intended restrictions on same-origin content via a crafted web site in conjunction with a redirect. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1553 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1554 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 32.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1555 |
Use-after-free vulnerability in the nsDocLoader::OnProgress function in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allows remote attackers to execute arbitrary code via vectors that trigger a FireOnStateChange event. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1556 |
Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to execute arbitrary code via crafted WebGL content constructed with the Cesium JavaScript library. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1557 |
The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function execution, which allows remote attackers to execute arbitrary code by triggering prolonged image scaling, as demonstrated by scaling of a high-quality image. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1558 |
Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (X.509 certificate parsing outage) via a crafted certificate that does not use UTF-8 character encoding in a required context, a different vulnerability than CVE-2014-1559. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1559 |
Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (X.509 certificate parsing outage) via a crafted certificate that does not use UTF-8 character encoding in a required context, a different vulnerability than CVE-2014-1558. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1560 |
Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (X.509 certificate parsing outage) via a crafted certificate that does not use ASCII character encoding in a required context. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1561 |
Mozilla Firefox before 31.0 does not properly restrict use of drag-and-drop events to spoof customization events, which allows remote attackers to alter the placement of UI icons via crafted JavaScript code that is encountered during (1) page, (2) panel, or (3) toolbar customization. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1562 |
Unspecified vulnerability in the browser engine in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1563 |
Use-after-free vulnerability in the mozilla::DOMSVGLength::GetTearOff function in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an SVG animation with DOM interaction that triggers incorrect cycle collection. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1564 |
Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1565 |
The mozilla::dom::AudioEventTimeline function in the Web Audio API implementation in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 does not properly create audio timelines, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted API calls. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1567 |
Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to execute arbitrary code via text that is improperly handled during the interaction between directionality resolution and layout. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1568 |
Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Google Chrome vulnerabilities
Oracle Glassfish Server vulnerabilities
Sun Java System Web Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_googlechrome
web_client_seamonkey
web_server_glassfishver
web_server_oracleiplanetver |
|
|
CVE-2014-1569 |
The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00. |
Oracle Glassfish Server vulnerabilities
Sun Java System Web Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_server_glassfishver
web_server_oracleiplanetver |
|
|
CVE-2014-1571 |
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template. |
Bugzilla vulnerabilities
|
web_prog_cgi_bugzilla |
|
|
CVE-2014-1572 |
The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted. |
Bugzilla vulnerabilities
|
web_prog_cgi_bugzilla |
|
|
CVE-2014-1573 |
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name. |
Bugzilla vulnerabilities
|
web_prog_cgi_bugzilla |
|
|
CVE-2014-1574 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1575 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 33.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to improper interaction between threading and garbage collection in the GCRuntime::triggerGC function in js/src/jsgc.cpp, and unknown other vectors. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1576 |
Heap-based buffer overflow in the nsTransformedTextRun function in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to execute arbitrary code via Cascading Style Sheets (CSS) token sequences that trigger changes to capitalization style. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1577 |
The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the Web Audio subsystem in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read, memory corruption, and application crash) via an invalid custom waveform that triggers a calculation of a negative frequency value. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1578 |
The get_tile function in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly execute arbitrary code via WebM frames with invalid tile sizes that are improperly handled in buffering operations during video playback. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1580 |
Mozilla Firefox before 33.0 does not properly initialize memory for GIF images, which allows remote attackers to obtain sensitive information from process memory via a crafted web page that triggers a sequence of rendering operations for truncated GIF data within a CANVAS element. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1581 |
Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to execute arbitrary code via text that is improperly handled during the interaction between directionality resolution and layout. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1582 |
The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site by providing a valid certificate from an arbitrary recognized Certification Authority. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1583 |
The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1584 |
The Public Key Pinning (PKP) implementation in Mozilla Firefox before 33.0 skips pinning checks upon an unspecified issuer-verification error, which makes it easier for remote attackers to bypass an intended pinning configuration and spoof a web site via a crafted certificate that leads to presentation of the Untrusted Connection dialog to the user. |
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1585 |
The WebRTC video-sharing feature in dom/media/MediaManager.cpp in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 does not properly recognize Stop Sharing actions for videos in IFRAME elements, which allows remote attackers to obtain sensitive information from the local camera by maintaining a session after the user tries to discontinue streaming. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1586 |
content/base/src/nsDocument.cpp in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 does not consider whether WebRTC video sharing is occurring, which allows remote attackers to obtain sensitive information from the local camera in certain IFRAME situations by maintaining a session after the user temporarily navigates away. |
Mozilla Thunderbird vulnerabilities
Avant Browser vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_avantver
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-1587 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1588 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1589 |
Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding. |
Mozilla vulnerabilities
Pale Moon vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_palemoonver |
|
|
CVE-2014-1590 |
The XMLHttpRequest.prototype.send method in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to cause a denial of service (application crash) via a crafted JavaScript object. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1591 |
Mozilla Firefox 33.0 and SeaMonkey before 2.31 include path strings in CSP violation reports, which allows remote attackers to obtain sensitive information via a web site that receives a report after a redirect. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1592 |
Use-after-free vulnerability in the nsHtml5TreeOperation function in xul.dll in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute arbitrary code by adding a second root element to an HTML5 document during parsing. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1593 |
Stack-based buffer overflow in the mozilla::FileBlockCache::Read function in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute arbitrary code via crafted media content. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Pale Moon vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_palemoonver |
|
|
CVE-2014-1594 |
Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 might allow remote attackers to execute arbitrary code by leveraging an incorrect cast from the BasicThebesLayer data type to the BasicContainerLayer data type. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox |
|
|
CVE-2014-1595 |
Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information. |
Mozilla Thunderbird vulnerabilities
MacOSX vulnerabilities
Mozilla vulnerabilities
Pale Moon vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
misc_macosx_version
web_client_cyberfoxver
web_client_firefox
web_client_palemoonver |
|
|
CVE-2014-1608 |
SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-1609 |
Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-1610 |
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-1642 |
The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-1648 |
Cross-site scripting (XSS) vulnerability in brightmail/setting/compliance/DlpConnectFlow$view.flo in the management console in Symantec Messaging Gateway 10.x before 10.5.2 allows remote attackers to inject arbitrary web script or HTML via the displayTab parameter. |
Symantec Messaging Gateway vulnerabilities
|
misc_av_symantec_smgver |
|
|
CVE-2014-1650 |
SQL injection vulnerability in user.php in the management console in Symantec Web Gateway (SWG) before 5.2.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. |
Symantec Web Gateway vulnerability
|
misc_av_symantec_webgatewayver |
|
|
CVE-2014-1651 |
SQL injection vulnerability in clientreport.php in the management console in Symantec Web Gateway (SWG) before 5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
Symantec Web Gateway vulnerability
|
misc_av_symantec_webgatewayver |
|
|
CVE-2014-1652 |
Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec Web Gateway (SWG) before 5.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified report parameters. |
Symantec Web Gateway vulnerability
|
misc_av_symantec_webgatewayver |
|
|
CVE-2014-1671 |
Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php. |
Quest KACE vulnerabilities
|
net_kacesmaver |
|
|
CVE-2014-1681 |
Multiple unspecified vulnerabilities in Google Chrome before 32.0.1700.102 have unknown impact and attack vectors, related to 12 "security fixes [that were not] either contributed by external researchers or particularly interesting." |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1690 |
The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-1692 |
The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition. |
OpenSSH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
shell_ssh_openssh |
|
|
CVE-2014-1700 |
Use-after-free vulnerability in modules/speech/SpeechSynthesis.cpp in Blink, as used in Google Chrome before 33.0.1750.149, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of a certain utterance data structure. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1701 |
The GenerateFunction function in bindings/scripts/code_generator_v8.pm in Blink, as used in Google Chrome before 33.0.1750.149, does not implement a certain cross-origin restriction for the EventTarget::dispatchEvent function, which allows remote attackers to conduct Universal XSS (UXSS) attacks via vectors involving events. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1702 |
Use-after-free vulnerability in the DatabaseThread::cleanupDatabaseThread function in modules/webdatabase/DatabaseThread.cpp in the web database implementation in Blink, as used in Google Chrome before 33.0.1750.149, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of scheduled tasks during shutdown of a thread. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1703 |
Use-after-free vulnerability in the WebSocketDispatcherHost::SendOrDrop function in content/browser/renderer_host/websocket_dispatcher_host.cc in the Web Sockets implementation in Google Chrome before 33.0.1750.149 might allow remote attackers to bypass the sandbox protection mechanism by leveraging an incorrect deletion in a certain failure case. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1704 |
Multiple unspecified vulnerabilities in Google V8 before 3.23.17.18, as used in Google Chrome before 33.0.1750.149, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1705 |
Google V8, as used in Google Chrome before 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1713 |
Use-after-free vulnerability in the AttributeSetter function in bindings/templates/attributes.cpp in the bindings in Blink, as used in Google Chrome before 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving the document.location value. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Google Chrome vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_googlechrome
web_client_safari |
|
|
CVE-2014-1714 |
The ScopedClipboardWriter::WritePickledData function in ui/base/clipboard/scoped_clipboard_writer.cc in Google Chrome before 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows does not verify a certain format value, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the clipboard. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1715 |
Directory traversal vulnerability in Google Chrome before 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows has unspecified impact and attack vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1716 |
Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype function in runtime.cc in Google V8, as used in Google Chrome before 34.0.1847.116, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)." |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1717 |
Google V8, as used in Google Chrome before 34.0.1847.116, does not properly use numeric casts during handling of typed arrays, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JavaScript code. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1718 |
Integer overflow in the SoftwareFrameManager::SwapToNewFrame function in content/browser/renderer_host/software_frame_manager.cc in the software compositor in Google Chrome before 34.0.1847.116 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted mapping of a large amount of renderer memory. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1719 |
Use-after-free vulnerability in the WebSharedWorkerStub::OnTerminateWorkerContext function in content/worker/websharedworker_stub.cc in the Web Workers implementation in Google Chrome before 34.0.1847.116 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via vectors that trigger a SharedWorker termination during script loading. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1720 |
Use-after-free vulnerability in the HTMLBodyElement::insertedInto function in core/html/HTMLBodyElement.cpp in Blink, as used in Google Chrome before 34.0.1847.116, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving attributes. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1721 |
Google V8, as used in Google Chrome before 34.0.1847.116, does not properly implement lazy deoptimization, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code, as demonstrated by improper handling of a heap allocation of a number outside the Small Integer (aka smi) range. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1722 |
Use-after-free vulnerability in the RenderBlock::addChildIgnoringAnonymousColumnBlocks function in core/rendering/RenderBlock.cpp in Blink, as used in Google Chrome before 34.0.1847.116, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving addition of a child node. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1723 |
The UnescapeURLWithOffsetsImpl function in net/base/escape.cc in Google Chrome before 34.0.1847.116 does not properly handle bidirectional Internationalized Resource Identifiers (IRIs), which makes it easier for remote attackers to spoof URLs via crafted use of right-to-left (RTL) Unicode text. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1724 |
Use-after-free vulnerability in Free(b)soft Laboratory Speech Dispatcher 0.7.1, as used in Google Chrome before 34.0.1847.116, allows remote attackers to cause a denial of service (application hang) or possibly have unspecified other impact via a text-to-speech request. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1725 |
The base64DecodeInternal function in wtf/text/Base64.cpp in Blink, as used in Google Chrome before 34.0.1847.116, does not properly handle string data composed exclusively of whitespace characters, which allows remote attackers to cause a denial of service (out-of-bounds read) via a window.atob method call. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1726 |
The drag implementation in Google Chrome before 34.0.1847.116 allows user-assisted remote attackers to bypass the Same Origin Policy and forge local pathnames by leveraging renderer access. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1727 |
Use-after-free vulnerability in content/renderer/renderer_webcolorchooser_impl.h in Google Chrome before 34.0.1847.116 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to forms. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1728 |
Multiple unspecified vulnerabilities in Google Chrome before 34.0.1847.116 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1729 |
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22, as used in Google Chrome before 34.0.1847.116, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1730 |
Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly store internationalization metadata, which allows remote attackers to bypass intended access restrictions by leveraging "type confusion" and reading property values, related to i18n.js and runtime.cc. |
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-1731 |
core/html/HTMLSelectElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly check renderer state upon a focus event, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion" for SELECT elements. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_avantver
web_client_googlechrome
web_client_safari |
|
|
CVE-2014-1732 |
Use-after-free vulnerability in browser/ui/views/speech_recognition_bubble_views.cc in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact via an INPUT element that triggers the presence of a Speech Recognition Bubble window for an incorrect duration. |
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-1733 |
The PointerCompare function in codegen.cc in Seccomp-BPF, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly merge blocks, which might allow remote attackers to bypass intended sandbox restrictions by leveraging renderer access. |
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-1734 |
Multiple unspecified vulnerabilities in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-1735 |
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-1736 |
Integer overflow in api.cc in Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value. |
Avant Browser vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_avantver
web_client_googlechrome |
|
|
CVE-2014-1740 |
Multiple use-after-free vulnerabilities in net/websockets/websocket_job.cc in the WebSockets implementation in Google Chrome before 34.0.1847.137 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to WebSocketJob deletion. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1741 |
Multiple integer overflows in the replace-data functionality in the CharacterData interface implementation in core/dom/CharacterData.cpp in Blink, as used in Google Chrome before 34.0.1847.137, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to ranges. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1742 |
Use-after-free vulnerability in the FrameSelection::updateAppearance function in core/editing/FrameSelection.cpp in Blink, as used in Google Chrome before 34.0.1847.137, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper RenderObject handling. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1743 |
Use-after-free vulnerability in the StyleElement::removedFromDocument function in core/dom/StyleElement.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code that triggers tree mutation. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1744 |
Integer overflow in the AudioInputRendererHost::OnCreateStream function in content/browser/renderer_host/media/audio_input_renderer_host.cc in Google Chrome before 35.0.1916.114 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a large shared-memory allocation. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1745 |
Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger removal of an SVGFontFaceElement object, related to core/svg/SVGFontFaceElement.cpp. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver
web_client_googlechrome |
|
|
CVE-2014-1746 |
The InMemoryUrlProtocol::Read function in media/filters/in_memory_url_protocol.cc in Google Chrome before 35.0.1916.114 relies on an insufficiently large integer data type, which allows remote attackers to cause a denial of service (out-of-bounds read) via vectors that trigger use of a large buffer. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1747 |
Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to inject arbitrary web script or HTML via crafted MHTML content, aka "Universal XSS (UXSS)." |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1748 |
The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame. |
Google Chrome vulnerabilities
Safari vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_safari |
|
|
CVE-2014-1749 |
Multiple unspecified vulnerabilities in Google Chrome before 35.0.1916.114 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-1751 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0235 and CVE-2014-1755. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-1752 |
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7 |
|
|
CVE-2014-1753 |
Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1754 |
Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2013 Gold and SP1, SharePoint Foundation 2013 Gold and SP1, Office Web Apps Server 2013 Gold and SP1, and SharePoint Server 2013 Client Components SDK allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "SharePoint XSS Vulnerability." |
Microsoft Office Web Apps vulnerabilities
Windows updates needed
Note: A valid SNMP read community string is required to detect this vulnerability |
win_patch_officeweb2013ver
win_patch_sharepoint2013ms14022
win_patch_sharepointdesigner2013ms14022 |
|
|
CVE-2014-1755 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0235 and CVE-2014-1751. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-1756 |
Untrusted search path vulnerability in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013 Gold, SP1, RT, and RT SP1, when the Simplified Chinese Proofing Tool is enabled, allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Microsoft Office Chinese Grammar Checking Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office200714023
win_patch_office201014023
win_patch_office201314023 |
|
|
CVE-2014-1757 |
Microsoft Word 2007 SP3 and 2010 SP1 and SP2, and Office Compatibility Pack SP3, allocates memory incorrectly for file conversions from a binary (aka .doc) format to a newer format, which allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office File Format Converter Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_word2007
win_patch_word2010
win_patch_wordcompack |
|
|
CVE-2014-1758 |
Stack-based buffer overflow in Microsoft Word 2003 SP3 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Word Stack Overflow Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_word2003 |
|
|
CVE-2014-1759 |
pubconv.dll in Microsoft Publisher 2003 SP3 and 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted .pub file, aka "Arbitrary Pointer Dereference Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_pubconv2003
win_patch_pubconv2007 |
|
|
CVE-2014-1760 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-1761 |
Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014. |
Microsoft Office vulnerabilities
Microsoft Office Web Apps vulnerabilities
Windows updates needed
Note: A valid SNMP read community string is required to detect this vulnerability |
win_patch_office2011macver
win_patch_officeweb201014017
win_patch_officeweb2013ver
win_patch_sharepoint201014017
win_patch_sp2k3word14017
win_patch_word2003
win_patch_word2007
win_patch_word2010
win_patch_word2013
win_patch_wordcompack
win_patch_wordview2003 |
|
|
CVE-2014-1762 |
Unspecified vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code with medium-integrity privileges and bypass a sandbox protection mechanism via unknown vectors, as demonstrated by ZDI during a Pwn4Fun competition at CanSecWest 2014. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1763 |
Use-after-free vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1764 |
Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism by leveraging "object confusion" in a broker process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1765 |
Multiple use-after-free vulnerabilities in Microsoft Internet Explorer 6 through 11 allow remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Sebastian Apelt and Andreas Schmidt during a Pwn2Own competition at CanSecWest 2014. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1766 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, as demonstrated by Sebastian Apelt and Andreas Schmidt during a Pwn2Own competition at CanSecWest 2014. NOTE: the original disclosure referred to triggering a kernel bug with the Internet Explorer exploit payload, but this ID is not for a kernel vulnerability. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1767 |
Double free vulnerability in the Ancillary Function Driver (AFD) in afd.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_afdms14040 |
|
|
CVE-2014-1769 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1782, CVE-2014-1785, CVE-2014-2753, CVE-2014-2755, CVE-2014-2760, CVE-2014-2761, CVE-2014-2772, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-1770 |
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1771 |
SChannel in Microsoft Internet Explorer 6 through 11 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack," aka "TLS Server Certificate Renegotiation Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1772 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-1773 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1774 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1788 and CVE-2014-2754. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-1775 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1779, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1776 |
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1777 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to read local files on the client via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-1778 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary web script with increased privileges via unspecified vectors, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-2777. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1779 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1780 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-1781 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1792, CVE-2014-1804, and CVE-2014-2770. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-1782 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1785, CVE-2014-2753, CVE-2014-2755, CVE-2014-2760, CVE-2014-2761, CVE-2014-2772, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-1783 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1784 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1785 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1782, CVE-2014-2753, CVE-2014-2755, CVE-2014-2760, CVE-2014-2761, CVE-2014-2772, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-1786 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1788 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1774 and CVE-2014-2754. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-1789 |
Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1790. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10 |
|
|
CVE-2014-1790 |
Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1789. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10 |
|
|
CVE-2014-1791 |
Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1792 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1781, CVE-2014-1804, and CVE-2014-2770. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-1794 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-1795 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1796 |
Microsoft Internet Explorer 6 and 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1797 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-1799 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1779, CVE-2014-1803, and CVE-2014-2757. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1800 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1802 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-1803 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, and CVE-2014-2757. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1804 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1781, CVE-2014-1792, and CVE-2014-2770. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-1805 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-1806 |
The .NET Remoting implementation in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly restrict memory access, which allows remote attackers to execute arbitrary code via vectors involving malformed objects, aka "TypeFilterLevel Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnetfw110ms14026
win_dotnetfw200ms14026
win_dotnetfw350ms14026
win_dotnetfw351ms14026
win_dotnetfw4n45plusms14026 |
|
|
CVE-2014-1807 |
The ShellExecute API in Windows Shell in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly implement file associations, which allows local users to gain privileges via a crafted application, as exploited in the wild in May 2014, aka "Windows Shell File Association Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_shell14027 |
|
|
CVE-2014-1808 |
Microsoft Office 2013 Gold, SP1, RT, and RT SP1 allows remote attackers to obtain sensitive token information via a web site that sends a crafted response during opening of an Office document, aka "Token Reuse Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office201314023 |
|
|
CVE-2014-1809 |
The MSCOMCTL library in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013 Gold, SP1, RT, and RT SP1 makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, as exploited in the wild in May 2014, aka "MSCOMCTL ASLR Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office14024
win_patch_office2007comctl
win_patch_office2010comctl
win_patch_office2013comctl |
|
|
CVE-2014-1811 |
The TCP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to cause a denial of service (non-paged pool memory consumption and system hang) via malformed data in the Options field of a TCP header, aka "TCP Denial of Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_tcpms14031 |
|
|
CVE-2014-1812 |
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_grouppolicy14025 |
|
|
CVE-2014-1813 |
Microsoft Web Applications 2010 SP1 and SP2 allows remote authenticated users to execute arbitrary code via crafted page content, aka "Web Applications Page Content Vulnerability." |
Microsoft Office Web Apps vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_officeweb201014022 |
|
|
CVE-2014-1814 |
The Windows Installer in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application that invokes the repair feature for a different application, aka "Windows Installer Repair Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_installer14049 |
|
|
CVE-2014-1815 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, as exploited in the wild in May 2014, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0310. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-1816 |
Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly restrict the information transmitted by Internet Explorer during a download action, which allows remote attackers to discover (1) full pathnames on the client system and (2) local usernames embedded in these pathnames via a crafted web site, aka "MSXML Entity URI Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_xmlcorever14033 |
|
|
CVE-2014-1817 |
usp10.dll in Uniscribe (aka the Unicode Script Processor) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Office 2007 SP3 and 2010 SP1 and SP2, Live Meeting 2007 Console, Lync 2010 and 2013, Lync 2010 Attendee, and Lync Basic 2013 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted EMF+ record in a font file, aka "Unicode Scripts Processor Vulnerability." |
Windows updates needed
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_gdi14036
win_patch_gdiplus14036
win_patch_lync14036
win_patch_office14036
win_patch_uniscribe14036 |
|
|
CVE-2014-1818 |
GDI+ in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Office 2007 SP3 and 2010 SP1 and SP2, Live Meeting 2007 Console, Lync 2010 and 2013, Lync 2010 Attendee, and Lync Basic 2013 allows remote attackers to execute arbitrary code via a crafted EMF+ record in an image file, aka "GDI+ Image Parsing Vulnerability." |
Windows updates needed
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_gdi14036
win_patch_gdiplus14036
win_patch_lync14036
win_patch_office14036
win_patch_uniscribe14036 |
|
|
CVE-2014-1819 |
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly control access to objects associated with font files, which allows local users to gain privileges via a crafted file, aka "Font Double-Fetch Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_kernelmode14045
win_patch_kernelpool14045 |
|
|
CVE-2014-1820 |
Cross-site scripting (XSS) vulnerability in Master Data Services (MDS) in Microsoft SQL Server 2012 SP1 and 2014 on 64-bit platforms allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "SQL Master Data Services XSS Vulnerability." |
Microsoft SQL Server
Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql |
|
|
CVE-2014-1823 |
Cross-site scripting (XSS) vulnerability in the Web Components Server in Microsoft Lync Server 2010 and 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing a valid meeting ID, aka "Lync Server Content Sanitization Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14032lync |
|
|
CVE-2014-1824 |
Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted Journal (aka .JNT) file, aka "Windows Journal Remote Code Execution Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_winjrnlms14038 |
|
|
CVE-2014-1840 |
Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message. |
MyBB vulnerabilities
|
web_prog_php_mybb |
|
|
CVE-2014-1869 |
Multiple cross-site scripting (XSS) vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF query parameters (aka loaderInfo.parameters). |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-1876 |
The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, 7, and 8; Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 does not securely create temporary files when a log file cannot be opened, which allows local users to overwrite arbitrary files via a symlink attack on /tmp/unpack.log. |
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver |
|
|
CVE-2014-1879 |
Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-1895 |
Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-1912 |
Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string. |
MacOSX vulnerabilities
Python vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_python |
|
|
CVE-2014-1939 |
java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-1943 |
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-1945 |
SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7.2 allows remote attackers to execute arbitrary SQL commands via the add_value parameter. |
OpenDocMan vulnerabilities
|
web_prog_php_opendocmanver |
|
|
CVE-2014-1966 |
The SNMP implementation in Siemens RuggedCom ROS before 3.11, ROS 3.11 for RS950G, ROS 3.12 before 3.12.4, and ROS 4.0 for RSG2488 allows remote attackers to cause a denial of service (device outage) via crafted packets. |
RuggedCom device
|
misc_scada_ruggedcomver |
|
|
CVE-2014-2019 |
The iCloud subsystem in Apple iOS before 7.1 allows physically proximate attackers to bypass an intended password requirement, and turn off the Find My iPhone service or complete a Delete Account action and then associate this service with a different Apple ID account, by entering an arbitrary iCloud Account Password value and a blank iCloud Account Description value. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-2039 |
arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2044 |
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program. |
OwnCloud vulnerabilities
|
misc_owncloudver |
|
|
CVE-2014-2053 |
getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-2097 |
The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.1.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-2098 |
libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-2099 |
The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.1.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-2106 |
Cisco IOS 15.3M before 15.3(3)M2 and IOS XE 3.10.xS before 3.10.2S allow remote attackers to cause a denial of service (device reload) via crafted SIP messages, aka Bug ID CSCug45898. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2107 |
Cisco IOS 12.2 and 15.0 through 15.3, when used with the Kailash FPGA before 2.6 on RSP720-3C-10GE and RSP720-3CXL-10GE devices, allows remote attackers to cause a denial of service (route switch processor outage) via crafted IP packets, aka Bug ID CSCug84789. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2108 |
Cisco IOS 12.2 and 15.0 through 15.3 and IOS XE 3.2 through 3.7 before 3.7.5S and 3.8 through 3.10 before 3.10.1S allow remote attackers to cause a denial of service (device reload) via a malformed IKEv2 packet, aka Bug ID CSCui88426. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2109 |
The TCP Input module in Cisco IOS 12.2 through 12.4 and 15.0 through 15.4, when NAT is used, allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted TCP packets, aka Bug IDs CSCuh33843 and CSCuj41494. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2111 |
The Application Layer Gateway (ALG) module in Cisco IOS 12.2 through 12.4 and 15.0 through 15.4, when NAT is used, allows remote attackers to cause a denial of service (device reload) via crafted DNS packets, aka Bug ID CSCue00996. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2112 |
The SSL VPN (aka WebVPN) feature in Cisco IOS 15.1 through 15.4 allows remote attackers to cause a denial of service (memory consumption) via crafted HTTP requests, aka Bug ID CSCuf51357. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2113 |
Cisco IOS 15.1 through 15.3 and IOS XE 3.3 and 3.5 before 3.5.2E; 3.7 before 3.7.5S; and 3.8, 3.9, and 3.10 before 3.10.2S allow remote attackers to cause a denial of service (I/O memory consumption and device reload) via a malformed IPv6 packet, aka Bug ID CSCui59540. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2120 |
Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2124 |
Cisco IOS 15.1(2)SY3 and earlier, when used with Supervisor Engine 2T (aka Sup2T) on Catalyst 6500 devices, allows remote attackers to cause a denial of service (device crash) via crafted multicast packets, aka Bug ID CSCuf60783. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2126 |
Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47), 8.4 before 8.4(7.5), 8.7 before 8.7(1.11), 9.0 before 9.0(3.10), and 9.1 before 9.1(3.4) allows remote authenticated users to gain privileges by leveraging level-0 ASDM access, aka Bug ID CSCuj33496. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2127 |
Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2128 |
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2129 |
The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.48), 8.4 before 8.4(6.5), 9.0 before 9.0(3.1), and 9.1 before 9.1(2.5) allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted SIP packets, aka Bug ID CSCuh44052. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2131 |
The packet driver in Cisco IOS allows remote attackers to cause a denial of service (device reload) via a series of (1) Virtual Switching Systems (VSS) or (2) Bidirectional Forwarding Detection (BFD) packets, aka Bug IDs CSCug41049 and CSCue61890. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2143 |
The IKE implementation in Cisco IOS 15.4(1)T and earlier and IOS XE allows remote attackers to cause a denial of service (security-association drop) via crafted Main Mode packets, aka Bug ID CSCun31021. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-2144 |
Cisco IOS XR does not properly throttle ICMPv6 redirect packets, which allows remote attackers to cause a denial of service (IPv4 and IPv6 transit outage) via crafted redirect messages, aka Bug ID CSCum14266. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-2151 |
The WebVPN portal in Cisco Adaptive Security Appliance (ASA) Software 8.4(.7.15) and earlier allows remote authenticated users to obtain sensitive information via a crafted JavaScript file, aka Bug ID CSCui04520. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2154 |
Memory leak in the SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to cause a denial of service (memory consumption and instability) via crafted SIP packets, aka Bug ID CSCuf67469. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2181 |
Cisco Adaptive Security Appliance (ASA) Software allows remote authenticated users to read files by sending a crafted URL to the HTTP server, as demonstrated by reading the running configuration, aka Bug ID CSCun78551. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2182 |
Cisco Adaptive Security Appliance (ASA) Software, when DHCPv6 replay is configured, allows remote attackers to cause a denial of service (device reload) via a crafted DHCPv6 packet, aka Bug ID CSCun45520. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-2184 |
The IP Manager Assistant (IPMA) component in Cisco Unified Communications Manager (Unified CM) allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCun74352. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-2185 |
The Call Detail Records (CDR) Management component in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to obtain sensitive information by reading extraneous fields in an HTML document, aka Bug ID CSCun74374. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-2205 |
The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importing a crafted XML file, related to an XML External Entity (XXE) issue. |
McAfee ePolicy Orchestrator
Note: Authentication is required to detect this vulnerability |
web_tool_epolicyver |
|
|
CVE-2014-2240 |
Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-2241 |
The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-2242 |
includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-2243 |
includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-2244 |
Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-2245 |
SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information. |
CMSSimple vulnerabilities
|
web_cms_simplever |
|
|
CVE-2014-2263 |
The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-2270 |
softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-2281 |
The nfs_name_snoop_add_name function in epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 does not validate a certain length value, which allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted NFS packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-2282 |
The dissect_protocol_data_parameter function in epan/dissectors/packet-m3ua.c in the M3UA dissector in Wireshark 1.10.x before 1.10.6 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted SS7 MTP3 packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-2283 |
epan/dissectors/packet-rlc in the RLC dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 uses inconsistent memory-management approaches, which allows remote attackers to cause a denial of service (use-after-free error and application crash) via a crafted UMTS Radio Link Control packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-2284 |
The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate input, which allows remote attackers to cause a denial of service via unspecified vectors. |
Net SNMP vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_snmp_snmpver |
|
|
CVE-2014-2285 |
The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows remote attackers to cause a denial of service (snmptrapd crash) via an empty community string in an SNMP trap, which triggers a NULL pointer dereference within the newSVpv function in Perl. |
Net SNMP vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_snmp_snmpver |
|
|
CVE-2014-2286 |
main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-2287 |
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-2288 |
The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-2299 |
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-2309 |
The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2311 |
SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 before 2.2.13 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
MODx Revolution vulnerabilities
|
web_prog_php_modxrevver |
|
|
CVE-2014-2313 |
Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors. |
Atlassian JIRA vulnerabilities
|
web_prog_jsp_jira |
|
|
CVE-2014-2314 |
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors. |
Atlassian JIRA vulnerabilities
|
web_prog_jsp_jira |
|
|
CVE-2014-2317 |
SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7.2 allows remote attackers to execute arbitrary SQL commands via the table parameter. NOTE: some of these details are obtained from third party information. |
OpenDocMan vulnerabilities
|
web_prog_php_opendocmanver |
|
|
CVE-2014-2323 |
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. |
Lighttpd vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_server_lighttpd_version |
|
|
CVE-2014-2324 |
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. |
Lighttpd vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_server_lighttpd_version |
|
|
CVE-2014-2326 |
Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-2327 |
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-2328 |
lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-2397 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2398 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and JRockit R27.8.1 and R28.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Javadoc. |
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_javafx
web_client_jre
web_dev_jdk
web_dev_jrockitver |
|
|
CVE-2014-2401 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality via unknown vectors related to 2D. |
IBM Forms Viewer vulnerability
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_ibmfmviewer
web_client_ibmjre
web_client_javafx
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2402 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-0455. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2403 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via vectors related to JAXP. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2406 |
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to "Advisor" and "Select Any Dictionary" privileges. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-2408 |
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to the "Grant Any Object Privilege." |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-2409 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2410 |
Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2412 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-0451. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2413 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Libraries. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2414 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXB. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2419 |
Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-2420 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Deployment. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2421 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_javafx
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2422 |
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2.51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_javafx
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2423 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2427 |
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2428 |
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2430 |
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-2431 |
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-2432 |
Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-2434 |
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to DML. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2435 |
Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2436 |
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-2438 |
Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-2440 |
Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-2441 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.32, 4.2.24, and 4.3.10 allows local users to affect confidentiality, integrity, and availability via vectors related to Graphics driver (WDDM) for Windows guests. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-2442 |
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to MyISAM. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2444 |
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to InnoDB. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2450 |
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2451 |
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Privileges. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2470 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Security. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-2477 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2486. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-2478 |
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote attackers to affect confidentiality via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-2479 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Web Services. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-2480 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-2481. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-2481 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-2480. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-2483 |
Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations." |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2484 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRFTS. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2486 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2477. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-2487 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14, when running on Windows, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-4261. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-2488 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality via unknown vectors related to Core. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-2489 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-2490 |
Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-2494 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to ENARC. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-2497 |
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-2522 |
curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscansourcever |
|
|
CVE-2014-2523 |
net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2525 |
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file. |
MacOSX vulnerabilities
Ruby vulnerabilities
Puppet vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
web_dev_ruby
web_tool_puppetentver |
|
|
CVE-2014-2532 |
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. |
MacOSX vulnerabilities
OpenSSH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
shell_ssh_openssh |
|
|
CVE-2014-2578 |
Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk before 5.0.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Splunk vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_splunkver |
|
|
CVE-2014-2580 |
The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2590 |
The web management interface in Siemens RuggedCom ROS before 3.11, ROS 3.11 before 3.11.5 for RS950G, ROS 3.12, and ROS 4.0 for RSG2488 allows remote attackers to cause a denial of service (interface outage) via crafted HTTP packets. |
RuggedCom device
|
misc_scada_ruggedcomver |
|
|
CVE-2014-2623 |
Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown vectors. |
HP Openview vulnerabilities
|
net_openview_hpdataprot |
|
|
CVE-2014-2624 |
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-2264. |
HP Openview vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_ovnodemgriver |
|
|
CVE-2014-2640 |
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
HP SMH vulnerabilities
|
web_tool_hpsmh |
|
|
CVE-2014-2641 |
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. |
HP SMH vulnerabilities
|
web_tool_hpsmh |
|
|
CVE-2014-2642 |
HP System Management Homepage (SMH) before 7.4 allows remote attackers to conduct clickjacking attacks via unspecified vectors. |
HP SMH vulnerabilities
|
web_tool_hpsmh |
|
|
CVE-2014-2643 |
Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7.4 allows remote authenticated users to gain privileges via unknown vectors. |
HP Systems Insight Manager
|
web_tool_hpsim |
|
|
CVE-2014-2644 |
Cross-site scripting (XSS) vulnerability in HP Systems Insight Manager (SIM) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. |
HP Systems Insight Manager
|
web_tool_hpsim |
|
|
CVE-2014-2645 |
HP Systems Insight Manager (SIM) before 7.4 allows remote attackers to conduct clickjacking attacks via unknown vectors. |
HP Systems Insight Manager
|
web_tool_hpsim |
|
|
CVE-2014-2653 |
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. |
OpenSSH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
shell_ssh_openssh |
|
|
CVE-2014-2665 |
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-2667 |
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value. |
Python vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_python |
|
|
CVE-2014-2668 |
Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via the count parameter to /_uuids. |
Apache CouchDB vulnerabilities
|
web_prog_file_couchdbver |
|
|
CVE-2014-2669 |
Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions. |
PostgreSQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql |
|
|
CVE-2014-2672 |
Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2673 |
The arch_dup_task_struct function in the Transactional Memory (TM) implementation in arch/powerpc/kernel/process.c in the Linux kernel before 3.13.7 on the powerpc platform does not properly interact with the clone and fork system calls, which allows local users to cause a denial of service (Program Check and system crash) via certain instructions that are executed with the processor in the Transactional state. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2678 |
The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2708 |
Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id parameter. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-2709 |
lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-2717 |
Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to bypass authentication and obtain administrative access by visiting the change-password page. |
Honeywell FALCON vulnerabilities
|
misc_scada_honeywellfalconsecbypass |
|
|
CVE-2014-2736 |
Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to connectors/security/message.php or (3) id parameter to manager/index.php. |
MODx Revolution vulnerabilities
|
web_prog_php_modxrevver |
|
|
CVE-2014-2741 |
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. |
Openfire Jabber Server vulnerabilities
|
misc_openfirejabberver |
|
|
CVE-2014-2753 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1782, CVE-2014-1785, CVE-2014-2755, CVE-2014-2760, CVE-2014-2761, CVE-2014-2772, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2754 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1774 and CVE-2014-1788. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-2755 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1782, CVE-2014-1785, CVE-2014-2753, CVE-2014-2760, CVE-2014-2761, CVE-2014-2772, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2756 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2763, CVE-2014-2764, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2757 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0282, CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, and CVE-2014-1803. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2758 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2759 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2760 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1782, CVE-2014-1785, CVE-2014-2753, CVE-2014-2755, CVE-2014-2761, CVE-2014-2772, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2761 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1782, CVE-2014-1785, CVE-2014-2753, CVE-2014-2755, CVE-2014-2760, CVE-2014-2772, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2763 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2764, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2764 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2769, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2765 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2766 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2767 |
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7 |
|
|
CVE-2014-2768 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2773. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-2769 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, and CVE-2014-2771. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2770 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1781, CVE-2014-1792, and CVE-2014-1804. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-2771 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1772, CVE-2014-1780, CVE-2014-1794, CVE-2014-1797, CVE-2014-1802, CVE-2014-2756, CVE-2014-2763, CVE-2014-2764, and CVE-2014-2769. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2772 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1782, CVE-2014-1785, CVE-2014-2753, CVE-2014-2755, CVE-2014-2760, CVE-2014-2761, and CVE-2014-2776. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2773 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2768. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-2774 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2820, CVE-2014-2826, CVE-2014-2827, and CVE-2014-4063. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2775 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, and CVE-2014-2766. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2776 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1769, CVE-2014-1782, CVE-2014-1785, CVE-2014-2753, CVE-2014-2755, CVE-2014-2760, CVE-2014-2761, and CVE-2014-2772. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2777 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary web script with increased privileges via unspecified vectors, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-1778. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2778 |
Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted embedded font in a (1) .doc or (2) .docx document, aka "Embedded Font Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office200714034
win_patch_office2007compat |
|
|
CVE-2014-2779 |
mpengine.dll in Microsoft Malware Protection Engine before 1.1.10701.0 allows remote attackers to cause a denial of service (system hang) via a crafted file. |
Microsoft Malware Protection Engine vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_mpe_kb2974294 |
|
|
CVE-2014-2780 |
DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows local users to gain privileges by leveraging control over a low-integrity process to execute a crafted application, aka "DirectShow Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_qedit14041 |
|
|
CVE-2014-2781 |
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly restrict the exchange of keyboard and mouse data between programs at different integrity levels, which allows attackers to bypass intended access restrictions by leveraging control over a low-integrity process to launch the On-Screen Keyboard (OSK) and then upload a crafted application, aka "On-Screen Keyboard Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14039 |
|
|
CVE-2014-2782 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2783 |
Microsoft Internet Explorer 7 through 11 does not prevent use of wildcard EV SSL certificates, which might allow remote attackers to spoof a trust level by leveraging improper issuance of a wildcard certificate by a recognized Certification Authority, aka "Extended Validation (EV) Certificate Security Feature Bypass Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2784 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4051. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2785 |
Microsoft Internet Explorer 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v7 |
|
|
CVE-2014-2786 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2792 and CVE-2014-2813. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2787 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2790, CVE-2014-2802, and CVE-2014-2806. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2788 |
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2794. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7 |
|
|
CVE-2014-2789 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2795, CVE-2014-2798, and CVE-2014-2804. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2790 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014-2802, and CVE-2014-2806. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2791 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-2792 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2786 and CVE-2014-2813. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2794 |
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2788. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7 |
|
|
CVE-2014-2795 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2789, CVE-2014-2798, and CVE-2014-2804. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2796 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2808, CVE-2014-2825, CVE-2014-4050, CVE-2014-4055, and CVE-2014-4067. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2797 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-2798 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2789, CVE-2014-2795, and CVE-2014-2804. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2799 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2800 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2807 and CVE-2014-2809. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2801 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2802 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014-2790, and CVE-2014-2806. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2803 |
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2804 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2789, CVE-2014-2795, and CVE-2014-2798. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2806 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014-2790, and CVE-2014-2802. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2807 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2800 and CVE-2014-2809. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2808 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2796, CVE-2014-2825, CVE-2014-4050, CVE-2014-4055, and CVE-2014-4067. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2809 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2800 and CVE-2014-2807. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2810 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, and CVE-2014-4057. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2811 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2822, CVE-2014-2823, and CVE-2014-4057. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2813 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2786 and CVE-2014-2792. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-2814 |
Microsoft Service Bus 1.1 on Microsoft Windows Server 2008 R2 SP1 and Server 2012 Gold and R2 allows remote authenticated users to cause a denial of service (AMQP messaging outage) via crafted AMQP messages, aka "Service Bus Denial of Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_servicebus14042 |
|
|
CVE-2014-2815 |
Microsoft OneNote 2007 SP3 allows remote attackers to execute arbitrary code via a crafted OneNote file that triggers creation of an executable file in a startup folder, aka "OneNote Remote Code Execution Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_officenote |
|
|
CVE-2014-2816 |
Microsoft SharePoint Server 2013 Gold and SP1 and SharePoint Foundation 2013 Gold and SP1 allow remote authenticated users to gain privileges via a Trojan horse app that executes a custom action in the context of the SharePoint extensibility model, aka "SharePoint Page Content Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_sharepoint2013ms14050 |
|
|
CVE-2014-2817 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2818 |
Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10 |
|
|
CVE-2014-2819 |
Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2820 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2774, CVE-2014-2826, CVE-2014-2827, and CVE-2014-4063. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2821 |
Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2822 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2823, and CVE-2014-4057. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2823 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, and CVE-2014-4057. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-2824 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-2825 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2796, CVE-2014-2808, CVE-2014-4050, CVE-2014-4055, and CVE-2014-4067. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-2826 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2774, CVE-2014-2820, CVE-2014-2827, and CVE-2014-4063. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2827 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2774, CVE-2014-2820, CVE-2014-2826, and CVE-2014-4063. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-2851 |
Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-2853 |
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-2855 |
The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file. |
rsyncd vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_rsyncdver |
|
|
CVE-2014-2907 |
The srtp_add_address function in epan/dissectors/packet-rtp.c in the RTP dissector in Wireshark 1.10.x before 1.10.7 does not properly update SRTP conversation data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-2916 |
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/. |
phpList vulnerabilities
|
web_prog_php_phplistver |
|
|
CVE-2014-2927 |
The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 11.5.0 before HF4, 11.4.1 before HF4, 11.4.0 before HF7, 11.3.0 before HF9, and 11.2.1 before HF11 and Enterprise Manager 3.x before 3.1.1 HF2, when configured in failover mode, does not require authentication, which allows remote attackers to read or write to arbitrary files via a cmi request to the ConfigSync IP address. |
rsync vulnerability
|
misc_rsyncf5bigip |
|
|
CVE-2014-2957 |
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function. |
Exim vulnerability
Note: Authentication is recommended to improve the accuracy of this check |
mail_smtp_exim
mail_smtp_eximver |
|
|
CVE-2014-2972 |
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value. |
Exim vulnerability
Note: Authentication is recommended to improve the accuracy of this check |
mail_smtp_exim
mail_smtp_eximver |
|
|
CVE-2014-2983 |
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-3005 |
XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. |
Zabbix vulnerabilities
|
web_tool_zabbixver |
|
|
CVE-2014-3014 |
Cross-site scripting (XSS) vulnerability in the Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
Lotus Sametime vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_server_lotus_sametimecliver |
|
|
CVE-2014-3021 |
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 does not properly handle HTTP headers, which allows remote attackers to obtain sensitive cookie and authentication data via an unspecified HTTP method. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-3022 |
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-3065 |
Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre |
|
|
CVE-2014-3068 |
IBM Java Runtime Environment (JRE) 7 R1 before SR1 FP1 (7.1.1.1), 7 before SR7 FP1 (7.0.7.1), 6 R1 before SR8 FP1 (6.1.8.1), 6 before SR16 FP1 (6.0.16.1), and before 5.0 SR16 FP7 (5.0.16.7) allows attackers to obtain the private key from a Certificate Management System (CMS) keystore via a brute force attack. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre |
|
|
CVE-2014-3070 |
The addFileRegistryAccount Virtual Member Manager (VMM) SPI Admin Task in IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.3 does not properly create accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-3072 |
Unspecified vulnerability in the Automation Server in IBM Security AppScan Source 8 through 8.0.0.2, 8.5 through 8.5.0.1, 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, and 9.0 through 9.0.0.1 allows local users to gain privileges by executing a crafted service. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscansourcever |
|
|
CVE-2014-3083 |
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.35, 8.0.x before 8.0.0.10, and 8.5.x before 8.5.5.3 does not properly restrict resource access, which allows remote attackers to obtain sensitive information via unspecified vectors. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-3086 |
Unspecified vulnerability in the IBM Java Virtual Machine, as used in IBM WebSphere Real Time 3 before Service Refresh 7 FP1 and other products, allows remote attackers to gain privileges by leveraging the ability to execute code in the context of a security manager. |
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre
web_server_lotus_domino |
|
|
CVE-2014-3088 |
stconf.nsf in IBM Sametime Meeting Server 8.5.1 relies on the client to validate the file format used in wAttach?OpenForm multipart/form-data POST requests, which allows remote authenticated users to bypass intended upload restrictions by modifying the Content-Type header and file extension, as demonstrated by replacing a text/plain .txt upload with an application/octet-stream .exe upload. |
Lotus Sametime vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_server_lotus_sametimecliver |
|
|
CVE-2014-3094 |
Stack-based buffer overflow in IBM DB2 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to execute arbitrary code via a crafted ALTER MODULE statement. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-3095 |
The SQL engine in IBM DB2 9.5 through FP10, 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) via a crafted UNION clause in a subquery of a SELECT statement. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-3100 |
Stack-based buffer overflow in the encode_key function in /system/bin/keystore in the KeyStore service in Android 4.3 allows attackers to execute arbitrary code, and consequently obtain sensitive key information or bypass intended restrictions on cryptographic operations, via a long key name. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-3110 |
Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input. |
Honeywell FALCON vulnerabilities
|
misc_scada_honeywellxlwebver |
|
|
CVE-2014-3113 |
Multiple buffer overflows in RealNetworks RealPlayer before 17.0.10.8 allow remote attackers to execute arbitrary code via a malformed (1) elst or (2) stsz atom in an MP4 file. |
RealPlayer vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_realplayer
misc_realplayercategory_macver |
|
|
CVE-2014-3122 |
The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3125 |
Xen 4.4.x, when running on an ARM system, does not properly context switch the CNTKCTL_EL1 register, which allows local guest users to modify the hardware timers and cause a denial of service (crash) via unspecified vectors. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-3144 |
The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3145 |
The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3152 |
Integer underflow in the LCodeGen::PrepareKeyedOperand function in arm/lithium-codegen-arm.cc in Google V8 before 3.25.28.16, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a negative key value. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3153 |
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. |
Linux Kernel vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel
web_prog_firesightver |
|
|
CVE-2014-3154 |
Use-after-free vulnerability in the ChildThread::Shutdown function in content/child/child_thread.cc in the filesystem API in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to a Blink shutdown. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3155 |
net/spdy/spdy_write_queue.cc in the SPDY implementation in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service (out-of-bounds read) by leveraging incorrect queue maintenance. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3156 |
Buffer overflow in the clipboard implementation in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger unexpected bitmap data, related to content/renderer/renderer_clipboard_client.cc and content/renderer/webclipboard_impl.cc. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3157 |
Heap-based buffer overflow in the FFmpegVideoDecoder::GetVideoBuffer function in media/filters/ffmpeg_video_decoder.cc in Google Chrome before 35.0.1916.153 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging VideoFrame data structures that are too small for proper interaction with an underlying FFmpeg library. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3158 |
Integer overflow in the getword function in options.c in pppd in Paul's PPP Package (ppp) before 2.4.7 allows attackers to "access privileged options" via a long word in an options file, which triggers a heap-based buffer overflow that "[corrupts] security-relevant variables." |
PPP vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_pppdver |
|
|
CVE-2014-3160 |
The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3162 |
Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.125 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3165 |
Use-after-free vulnerability in modules/websockets/WorkerThreadableWebSocketChannel.cpp in the Web Sockets implementation in Blink, as used in Google Chrome before 36.0.1985.143, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an unexpectedly long lifetime of a temporary object during method completion. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3166 |
The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3167 |
Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.143 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3168 |
Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper caching associated with animation. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3169 |
Use-after-free vulnerability in core/dom/ContainerNode.cpp in the DOM implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging script execution that occurs before notification of node removal. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3170 |
extensions/common/url_pattern.cc in Google Chrome before 37.0.2062.94 does not prevent use of a '\0' character in a host name, which allows remote attackers to spoof the extension permission dialog by relying on truncation after this character. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3171 |
Use-after-free vulnerability in the V8 bindings in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper use of HashMap add operations instead of HashMap set operations, related to bindings/core/v8/DOMWrapperMap.h and bindings/core/v8/SerializedScriptValue.cpp. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3172 |
The Debugger extension API in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 37.0.2062.94 does not validate a tab's URL before an attach operation, which allows remote attackers to bypass intended access limitations via an extension that uses a restricted URL, as demonstrated by a chrome:// URL. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3173 |
The WebGL implementation in Google Chrome before 37.0.2062.94 does not ensure that clear calls interact properly with the state of a draw buffer, which allows remote attackers to cause a denial of service (read of uninitialized memory) via a crafted CANVAS element, related to gpu/command_buffer/service/framebuffer_manager.cc and gpu/command_buffer/service/gles2_cmd_decoder.cc. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3174 |
modules/webaudio/BiquadDSPKernel.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 37.0.2062.94, does not properly consider concurrent threads during attempts to update biquad filter coefficients, which allows remote attackers to cause a denial of service (read of uninitialized memory) via crafted API calls. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3175 |
Multiple unspecified vulnerabilities in Google Chrome before 37.0.2062.94 allow attackers to cause a denial of service or possibly have other impact via unknown vectors, related to the load_truetype_glyph function in truetype/ttgload.c in FreeType and other functions in other components. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3176 |
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3177 |
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3176. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3178 |
Use-after-free vulnerability in core/dom/Node.cpp in Blink, as used in Google Chrome before 37.0.2062.120, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of render-tree inconsistencies. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3179 |
Multiple unspecified vulnerabilities in Google Chrome before 37.0.2062.120 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-3186 |
Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3188 |
Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not properly handle the interaction of IPC and Google V8, which allows remote attackers to execute arbitrary code via vectors involving JSON data, related to improper parsing of an escaped index by ParseJsonObject in json-parser.h. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3189 |
The chrome_pdf::CopyImage function in pdf/draw_utils.cc in the PDFium component in Google Chrome before 38.0.2125.101 does not properly validate image-data dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via unknown vectors. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3190 |
Use-after-free vulnerability in the Event::currentTarget function in core/events/Event.cpp in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code that accesses the path property of an Event object. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3191 |
Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with the render tree, related to the FrameView::updateLayoutAndStyleForPainting function in core/frame/FrameView.cpp and the RenderLayerScrollableArea::setScrollOffset function in core/rendering/RenderLayerScrollableArea.cpp. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3192 |
Use-after-free vulnerability in the ProcessingInstruction::setXSLStyleSheet function in core/dom/ProcessingInstruction.cpp in the DOM implementation in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. |
iTunes vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Google Chrome vulnerabilities
Opera vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_macosx_version
misc_mobile_iosver
web_client_googlechrome
web_client_opera9
web_client_safari |
|
|
CVE-2014-3193 |
The SessionService::GetLastSession function in browser/sessions/session_service.cc in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors that leverage "type confusion" for callback processing. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3194 |
Use-after-free vulnerability in the Web Workers implementation in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3195 |
Google V8, as used in Google Chrome before 38.0.2125.101, does not properly track JavaScript heap-memory allocations as allocations of uninitialized memory and does not properly concatenate arrays of double-precision floating-point numbers, which allows remote attackers to obtain sensitive information via crafted JavaScript code, related to the PagedSpace::AllocateRaw and NewSpace::AllocateRaw functions in heap/spaces-inl.h, the LargeObjectSpace::AllocateRaw function in heap/spaces.cc, and the Runtime_ArrayConcat function in runtime.cc. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3196 |
base/memory/shared_memory_win.cc in Google Chrome before 38.0.2125.101 on Windows does not properly implement read-only restrictions on shared memory, which allows attackers to bypass a sandbox protection mechanism via unspecified vectors. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3197 |
The NavigationScheduler::schedulePageBlock function in core/loader/NavigationScheduler.cpp in Blink, as used in Google Chrome before 38.0.2125.101, does not properly provide substitute data for pages blocked by the XSS auditor, which allows remote attackers to obtain sensitive information via a crafted web site. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3198 |
The Instance::HandleInputEvent function in pdf/instance.cc in the PDFium component in Google Chrome before 38.0.2125.101 interprets a certain -1 value as an index instead of a no-visible-page error code, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3199 |
The wrap function in bindings/core/v8/custom/V8EventCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 38.0.2125.101, has an erroneous fallback outcome for wrapper-selection failures, which allows remote attackers to cause a denial of service via vectors that trigger stopping a worker process that had been handling an Event object. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3200 |
Multiple unspecified vulnerabilities in Google Chrome before 38.0.2125.101 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-3214 |
The prefetch implementation in named in ISC BIND 9.10.0, when a recursive nameserver is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a DNS query that triggers a response with unspecified attributes. |
DNS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
dns_bindver |
|
|
CVE-2014-3248 |
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. |
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_tool_puppetentver
web_tool_puppetver |
|
|
CVE-2014-3249 |
Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain sensitive information via vectors involving hiding and unhiding nodes. |
Puppet vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_puppetentver |
|
|
CVE-2014-3250 |
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4. |
Puppet vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_tool_puppetver |
|
|
CVE-2014-3251 |
The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition. |
Puppet vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_puppetentver |
|
|
CVE-2014-3262 |
The Locator/ID Separation Protocol (LISP) implementation in Cisco IOS 15.3(3)S and earlier and IOS XE does not properly validate parameters in ITR control messages, which allows remote attackers to cause a denial of service (CEF outage and packet drops) via malformed messages, aka Bug ID CSCun73782. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3263 |
The ScanSafe module in Cisco IOS 15.3(3)M allows remote attackers to cause a denial of service (device reload) via HTTPS packets that require tower processing, aka Bug ID CSCum97038. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3268 |
Cisco IOS 15.2(4)M4 on Cisco Unified Border Element (CUBE) devices allows remote attackers to cause a denial of service (input-queue consumption and traffic-processing outage) via crafted RTCP packets, aka Bug ID CSCuj72215. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3271 |
The DHCPv6 implementation in Cisco IOS XR allows remote attackers to cause a denial of service (device crash) via a malformed packet, aka Bug IDs CSCum85558, CSCum20949, CSCul61849, and CSCul71149. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3273 |
The LLDP implementation in Cisco IOS allows remote attackers to cause a denial of service (device reload) via a malformed packet, aka Bug ID CSCum96282. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3287 |
SQL injection vulnerability in BulkViewFileContentsAction.java in the Java interface in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to execute arbitrary SQL commands via crafted filename parameters in a URL, aka Bug ID CSCuo17337. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3292 |
The Real Time Monitoring Tool (RTMT) implementation in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to (1) read or (2) delete arbitrary files via a crafted URL, aka Bug IDs CSCuo17302 and CSCuo17199. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3293 |
Cisco IOS 15.4(3)S0b on ASR901 devices makes incorrect decisions to use the CPU for IPv4 packet processing, which allows remote attackers to cause a denial of service (BGP neighbor flapping) by sending many crafted IPv4 packets, aka Bug ID CSCuo29736. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3299 |
Cisco IOS allows remote authenticated users to cause a denial of service (device reload) via malformed IPsec packets, aka Bug ID CSCui79745. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3308 |
Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static punt policer, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets, aka Bug ID CSCun83985. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3315 |
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3316 |
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3317 |
Directory traversal vulnerability in the Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager 10.0(1) allows remote authenticated users to delete arbitrary files via a crafted URL, aka Bug ID CSCup76314. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3318 |
Directory traversal vulnerability in dna/viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via a crafted URL, aka Bug ID CSCup76318. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3319 |
Directory traversal vulnerability in the Real-Time Monitoring Tool (RTMT) in Cisco Unified Communications Manager (CM) 10.0(1) allows remote authenticated users to read arbitrary files via a crafted URL, aka Bug ID CSCup57676. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3321 |
Cisco IOS XR 4.3.4 and earlier on ASR 9000 devices, when bridge-group virtual interface (BVI) routing is enabled, allows remote attackers to cause a denial of service (chip and card hangs) via a series of crafted MPLS packets, aka Bug ID CSCuo91149. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3322 |
Cisco IOS XR 4.3(.2) and earlier on ASR 9000 devices does not properly perform NetFlow sampling of IP packets, which allows remote attackers to cause a denial of service (chip and card hangs) via malformed (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCuo68417. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3327 |
The EnergyWise module in Cisco IOS 12.2, 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.2.xXO, 3.3.xSG, 3.4.xSG, and 3.5.xE before 3.5.3E allows remote attackers to cause a denial of service (device reload) via a crafted IPv4 packet, aka Bug ID CSCup52101. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3335 |
Cisco IOS XR 4.3(.2) and earlier on ASR 9000 devices does not properly perform NetFlow sampling of packets with multicast destination MAC addresses, which allows remote attackers to cause a denial of service (chip and card hangs) via a crafted packet, aka Bug ID CSCup77750. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3337 |
The SIP implementation in Cisco Unified Communications Manager (CM) 8.6(.2) and earlier allows remote authenticated users to cause a denial of service (process crash) via a crafted SIP message that is not properly handled during processing of an XML document, aka Bug ID CSCtq76428. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3339 |
Multiple SQL injection vulnerabilities in the administrative web interface in Cisco Unified Communications Manager (CM) and Cisco Unified Presence Server (CUPS) allow remote authenticated users to execute arbitrary SQL commands via crafted input to unspecified pages, aka Bug ID CSCup74290. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3343 |
Cisco IOS XR 5.1 allows remote attackers to cause a denial of service (DHCPv6 daemon crash) via a malformed DHCPv6 packet, aka Bug ID CSCuo59052. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3353 |
Cisco IOS XR 4.3(.2) and earlier, as used in Cisco Carrier Routing System (CRS), allows remote attackers to cause a denial of service (CPU consumption and IPv6 packet drops) via a malformed IPv6 packet, aka Bug ID CSCuo95165. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3354 |
Cisco IOS 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, and 15.3 and IOS XE 2.x and 3.x before 3.7.4S; 3.2.xSE and 3.3.xSE before 3.3.2SE; 3.3.xSG and 3.4.xSG before 3.4.4SG; and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allow remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCui11547. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3355 |
The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCug75942. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3356 |
The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCue22753. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3357 |
Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allow remote attackers to cause a denial of service (device reload) via malformed mDNS packets, aka Bug ID CSCul90866. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3358 |
Memory leak in Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allows remote attackers to cause a denial of service (memory consumption, and interface queue wedge or device reload) via malformed mDNS packets, aka Bug ID CSCuj58950. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3359 |
Memory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed DHCPv6 packets, aka Bug ID CSCum90081. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3360 |
Cisco IOS 12.4 and 15.0 through 15.4 and IOS XE 3.1.xS, 3.2.xS, 3.3.xS, 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allow remote attackers to cause a denial of service (device reload) via a crafted SIP message, aka Bug ID CSCul46586. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3361 |
The ALG module in Cisco IOS 15.0 through 15.4 does not properly implement SIP over NAT, which allows remote attackers to cause a denial of service (device reload) via multipart SDP IPv4 traffic, aka Bug ID CSCun54071. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3363 |
Cross-site scripting (XSS) vulnerability in the web framework in Cisco Unified Communications Manager (UCM) 9.1(2.10000.28) allows remote authenticated users to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuq68443. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3366 |
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3372 |
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3373 |
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3374 |
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3375 |
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3376 |
Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3377 |
snmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3378 |
tacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3379 |
Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3380 |
Cisco Unified Communications Domain Manager Platform Software 4.4(.3) and earlier allows remote attackers to cause a denial of service (CPU consumption) by sending crafted TCP packets quickly, aka Bug ID CSCuo42063. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-3382 |
The SQL*Net inspection engine in Cisco ASA Software 7.2 before 7.2(5.13), 8.2 before 8.2(5.50), 8.3 before 8.3(2.42), 8.4 before 8.4(7.15), 8.5 before 8.5(1.21), 8.6 before 8.6(1.14), 8.7 before 8.7(1.13), 9.0 before 9.0(4.5), and 9.1 before 9.1(5.1) allows remote attackers to cause a denial of service (device reload) via crafted SQL REDIRECT packets, aka Bug ID CSCum46027. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3383 |
The IKE implementation in the VPN component in Cisco ASA Software 9.1 before 9.1(5.1) allows remote attackers to cause a denial of service (device reload) via crafted UDP packets, aka Bug ID CSCul36176. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3384 |
The IKEv2 implementation in Cisco ASA Software 8.4 before 8.4(7.15), 8.6 before 8.6(1.14), 9.0 before 9.0(4.8), and 9.1 before 9.1(5.1) allows remote attackers to cause a denial of service (device reload) via a crafted packet that is sent during tunnel creation, aka Bug ID CSCum96401. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3385 |
Race condition in the Health and Performance Monitoring (HPM) for ASDM feature in Cisco ASA Software 8.3 before 8.3(2.42), 8.4 before 8.4(7.11), 8.5 before 8.5(1.19), 8.6 before 8.6(1.13), 8.7 before 8.7(1.11), 9.0 before 9.0(4.8), and 9.1 before 9.1(4.5) allows remote attackers to cause a denial of service (device reload) via TCP traffic that triggers many half-open connections at the same time, aka Bug ID CSCum00556. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3386 |
The GPRS Tunneling Protocol (GTP) inspection engine in Cisco ASA Software 8.2 before 8.2(5.51), 8.4 before 8.4(7.15), 8.7 before 8.7(1.13), 9.0 before 9.0(4.8), and 9.1 before 9.1(5.1) allows remote attackers to cause a denial of service (device reload) via a crafted series of GTP packets, aka Bug ID CSCum56399. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3387 |
The SunRPC inspection engine in Cisco ASA Software 7.2 before 7.2(5.14), 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.5 before 8.5(1.21), 8.6 before 8.6(1.14), 8.7 before 8.7(1.13), 9.0 before 9.0(4.5), and 9.1 before 9.1(5.3) allows remote attackers to cause a denial of service (device reload) via crafted SunRPC packets, aka Bug ID CSCun11074. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3388 |
The DNS inspection engine in Cisco ASA Software 9.0 before 9.0(4.13), 9.1 before 9.1(5.7), and 9.2 before 9.2(2) allows remote attackers to cause a denial of service (device reload) via crafted DNS packets, aka Bug ID CSCuo68327. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3389 |
The VPN implementation in Cisco ASA Software 7.2 before 7.2(5.15), 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.15), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), 9.2 before 9.2(2.6), and 9.3 before 9.3(1.1) does not properly implement a tunnel filter, which allows remote authenticated users to obtain failover-unit access via crafted packets, aka Bug ID CSCuq28582. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3390 |
The Virtual Network Management Center (VNMC) policy implementation in Cisco ASA Software 8.7 before 8.7(1.14), 9.2 before 9.2(2.8), and 9.3 before 9.3(1.1) allows local users to obtain Linux root access by leveraging administrative privileges and executing a crafted script, aka Bug IDs CSCuq41510 and CSCuq47574. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3391 |
Untrusted search path vulnerability in Cisco ASA Software 8.x before 8.4(3), 8.5, and 8.7 before 8.7(1.13) allows local users to gain privileges by placing a Trojan horse library file in external memory, leading to library use after device reload because of an incorrect LD_LIBRARY_PATH value, aka Bug ID CSCtq52661. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3392 |
The Clientless SSL VPN portal in Cisco ASA Software 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.15), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), 9.2 before 9.2(2.8), and 9.3 before 9.3(1.1) allows remote attackers to obtain sensitive information from process memory or modify memory contents via crafted parameters, aka Bug ID CSCuq29136. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3393 |
The Clientless SSL VPN portal customization framework in Cisco ASA Software 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.14), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), and 9.2 before 9.2(2.4) does not properly implement authentication, which allows remote attackers to modify RAMFS customization objects via unspecified vectors, as demonstrated by inserting XSS sequences or capturing credentials, aka Bug ID CSCup36829. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3394 |
The Smart Call Home (SCH) implementation in Cisco ASA Software 8.2 before 8.2(5.50), 8.4 before 8.4(7.15), 8.6 before 8.6(1.14), 8.7 before 8.7(1.13), 9.0 before 9.0(4.8), and 9.1 before 9.1(5.1) allows remote attackers to bypass certificate validation via an arbitrary VeriSign certificate, aka Bug ID CSCun10916. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3396 |
Cisco IOS XR on ASR 9000 devices does not properly use compression for port-range and address-range encoding, which allows remote attackers to bypass intended Typhoon line-card ACL restrictions via transit traffic, aka Bug ID CSCup30133. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-3398 |
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to obtain potentially sensitive software-version information by reading the verbose response data that is provided for a request to an unspecified URL, aka Bug ID CSCuq65542. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3399 |
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.2(.2.4) and earlier does not properly manage session information during creation of a SharePoint handler, which allows remote authenticated users to overwrite arbitrary RAMFS cache files or inject Lua programs, and consequently cause a denial of service (portal outage or system reload), via crafted HTTP requests, aka Bug ID CSCup54208. |
Cisco ASA vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_asaver |
|
|
CVE-2014-3409 |
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406. |
Cisco vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ios |
|
|
CVE-2014-3418 |
config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the skipjackUsername parameter. |
Infoblox NetMRI vulnerabilities
|
misc_infobloxnetmriblindcommandinjection |
|
|
CVE-2014-3419 |
Infoblox NetMRI before 6.8.5 has a default password of admin for the "root" MySQL database account, which makes it easier for local users to obtain access via unspecified vectors. |
Infoblox NetMRI vulnerabilities
|
misc_infobloxnetmriblindcommandinjection |
|
|
CVE-2014-3421 |
lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppm temporary file. |
Emacs vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_editors_emacs_version |
|
|
CVE-2014-3422 |
lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/. |
Emacs vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_editors_emacs_version |
|
|
CVE-2014-3423 |
lisp/net/browse-url.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/Mosaic.##### temporary file. |
Emacs vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_editors_emacs_version |
|
|
CVE-2014-3424 |
lisp/net/tramp-sh.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/tramp.##### temporary file. |
Emacs vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_editors_emacs_version |
|
|
CVE-2014-3430 |
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection. |
Dovecot vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_misc_dovecotver |
|
|
CVE-2014-3466 |
Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message. |
GnuTLS vulnerabilities
VLC vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnutls
misc_vlc |
|
|
CVE-2014-3470 |
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value. |
MySQL vulnerabilities
Wing FTP vulnerabilities
IBM Rational ClearQuest vulnerabilities
VMWare ESX vulnerabilities
MacOSX vulnerabilities
OpenSSL vulnerabilities
Oracle VirtualBox vulnerabilities
Splunk vulnerabilities
VMware vulnerabilities
Cisco AnyConnect VPN Client vulnerabilities
Cisco voice products
McAfee ePolicy Orchestrator
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_wingftpver
misc_clearquestver
misc_esxbuild
misc_macosx_version
misc_openssl
misc_oraclevirtualboxver
misc_splunkver
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_cisco_anyconnectcliver
net_cisco_cucmver
web_tool_epolicyver |
|
|
CVE-2014-3478 |
Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3479 |
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3480 |
The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3482 |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. |
Ruby on Rails vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_rubyonrails |
|
|
CVE-2014-3483 |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting. |
Ruby on Rails vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_rubyonrails |
|
|
CVE-2014-3487 |
The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3493 |
The push_ascii function in smbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) via an attempt to read a Unicode pathname without specifying use of Unicode, leading to a character-set conversion failure that triggers an invalid pointer dereference. |
Samba vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
win_samba |
|
|
CVE-2014-3505 |
Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp |
|
|
CVE-2014-3506 |
d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp |
|
|
CVE-2014-3507 |
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp |
|
|
CVE-2014-3508 |
The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp
web_tool_hpsmh |
|
|
CVE-2014-3509 |
Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp
web_tool_hpsmh |
|
|
CVE-2014-3510 |
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp |
|
|
CVE-2014-3511 |
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. |
Cerberus FTP Server
OpenSSL vulnerabilities
Splunk vulnerabilities
WinSCP vulnerabilities
McAfee ePolicy Orchestrator
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
misc_splunkver
shell_ssh_winscp
web_tool_epolicyver
web_tool_hpsmh |
|
|
CVE-2014-3512 |
Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp |
|
|
CVE-2014-3513 |
Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message. |
Cerberus FTP Server
VMWare ESX vulnerabilities
Apple Xcode vulnerabilities
OpenSSL vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_esxbuild
misc_macosx_xcodeversion
misc_openssl
web_tool_hpsmh |
|
|
CVE-2014-3514 |
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. |
Ruby on Rails vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_rubyonrails |
|
|
CVE-2014-3515 |
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3522 |
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. |
Apache Subversion vulnerabilities
|
web_mod_apachesvnver |
|
|
CVE-2014-3523 |
Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests. |
MacOSX vulnerabilities
Apache vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_server_apache_version
web_tool_hpsmh |
|
|
CVE-2014-3524 |
Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet. |
OpenOffice vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libreoffice
misc_openofficewin1 |
|
|
CVE-2014-3528 |
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. |
Apache Subversion vulnerabilities
|
web_mod_apachesvnver |
|
|
CVE-2014-3534 |
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3535 |
include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and its related logging implementation, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3537 |
The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/. |
CUPS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
printer_cupsversion |
|
|
CVE-2014-3538 |
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3541 |
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3542 |
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3543 |
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3544 |
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3545 |
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3546 |
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3547 |
Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3548 |
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3549 |
Cross-site scripting (XSS) vulnerability in the get_description function in lib/classes/event/user_login_failed.php in Moodle 2.7.x before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted username that is improperly handled during the logging of an invalid login attempt. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3550 |
Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task/scheduledtasks.php in Moodle 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger a crafted (1) error or (2) success message for a scheduled task. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3551 |
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3552 |
The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3553 |
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3556 |
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. |
nginx HTTP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_server_nginx |
|
|
CVE-2014-3560 |
NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h. |
Samba vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
win_samba |
|
|
CVE-2014-3563 |
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud. |
SaltStack vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_saltver |
|
|
CVE-2014-3565 |
snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is used, allows remote attackers to cause a denial of service (snmptrapd crash) via a crafted SNMP trap message, which triggers a conversion to the variable type designated in the MIB file, as demonstrated by a NULL type in an ifMtu trap message. |
MacOSX vulnerabilities
Net SNMP vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
net_snmp_snmpver |
|
|
CVE-2014-3566 |
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. |
Oracle Database vulnerabilities
Cerberus FTP Server
Kerio MailServer vulnerabilities
VMWare ESX vulnerabilities
Apple OS X Server vulnerabilities
MacOSX vulnerabilities
Apple Xcode vulnerabilities
Apple iOS vulnerabilities
OpenSSL vulnerabilities
SSL POODLE attack
Asterisk vulnerabilities
Java Plugin vulnerability
IBM HTTP Server vulnerabilities
Cisco FireSIGHT vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version
ftp_cerberusver
mail_smtp_kerio
misc_esxbuild
misc_macosx_server_version
misc_macosx_version
misc_macosx_xcodeversion
misc_mobile_iosver
misc_openssl
misc_tls_poodle
net_asteriskver
web_client_ibmjre
web_client_jre
web_dev_ibmhttpserver
web_dev_jdk
web_prog_firesightver
web_tool_hpsmh |
|
|
CVE-2014-3567 |
Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure. |
Cerberus FTP Server
VMWare ESX vulnerabilities
MacOSX vulnerabilities
Apple Xcode vulnerabilities
OpenSSL vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_esxbuild
misc_macosx_version
misc_macosx_xcodeversion
misc_openssl
web_tool_hpsmh |
|
|
CVE-2014-3568 |
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. |
Cerberus FTP Server
VMWare ESX vulnerabilities
MacOSX vulnerabilities
Apple Xcode vulnerabilities
OpenSSL vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_esxbuild
misc_macosx_version
misc_macosx_xcodeversion
misc_openssl
web_tool_hpsmh |
|
|
CVE-2014-3569 |
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix. |
MySQL vulnerabilities
Cerberus FTP Server
MacOSX vulnerabilities
OpenSSL vulnerabilities
VMware vulnerabilities
March Networks Products Vulnerabilities
WinSCP vulnerabilities
Cisco FireSIGHT vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_cerberusver
misc_macosx_version
misc_openssl
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_marchnvdver
shell_ssh_winscp
web_prog_firesightver
web_tool_hpsmh |
|
|
CVE-2014-3570 |
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c. |
MySQL vulnerabilities
Cerberus FTP Server
MacOSX vulnerabilities
OpenSSL vulnerabilities
VMware vulnerabilities
March Networks Products Vulnerabilities
WinSCP vulnerabilities
Cisco FireSIGHT vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_cerberusver
misc_macosx_version
misc_openssl
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_marchnvdver
shell_ssh_winscp
web_prog_firesightver
web_tool_hpsmh |
|
|
CVE-2014-3571 |
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c. |
MySQL vulnerabilities
Cerberus FTP Server
MacOSX vulnerabilities
OpenSSL vulnerabilities
VMware vulnerabilities
March Networks Products Vulnerabilities
WinSCP vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_cerberusver
misc_macosx_version
misc_openssl
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_marchnvdver
shell_ssh_winscp
web_tool_hpsmh |
|
|
CVE-2014-3572 |
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. |
MySQL vulnerabilities
Cerberus FTP Server
MacOSX vulnerabilities
OpenSSL vulnerabilities
VMware vulnerabilities
March Networks Products Vulnerabilities
WinSCP vulnerabilities
Cisco FireSIGHT vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_cerberusver
misc_macosx_version
misc_openssl
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_marchnvdver
shell_ssh_winscp
web_prog_firesightver
web_tool_hpsmh |
|
|
CVE-2014-3575 |
The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects. |
OpenOffice vulnerabilities
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libreoffice
misc_macosx_version
misc_openofficewin1 |
|
|
CVE-2014-3576 |
The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command. |
Java Message Service
Oracle Business Intelligence vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_activemqver
web_tool_bipublisherver |
|
|
CVE-2014-3577 |
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. |
HP Openview vulnerabilities
Jenkins vulnerabilities
Apache Axis2 vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_ovnodemgriver
web_prog_jsp_jenkinsver
web_server_apache_axis2 |
|
|
CVE-2014-3580 |
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist. |
Apache Subversion vulnerabilities
|
web_mod_apachesvnver |
|
|
CVE-2014-3581 |
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. |
Apple OS X Server vulnerabilities
MacOSX vulnerabilities
Apache vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_server_version
misc_macosx_version
web_server_apache_version |
|
|
CVE-2014-3582 |
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. |
Ambari vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ambariver |
|
|
CVE-2014-3583 |
The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. |
Apple OS X Server vulnerabilities
MacOSX vulnerabilities
Apache vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_server_version
misc_macosx_version
web_server_apache_version |
|
|
CVE-2014-3587 |
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3591 |
Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication. |
GnuPG vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnupg
misc_gnupgsmime |
|
|
CVE-2014-3597 |
Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3601 |
The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3609 |
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values." |
Squid vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid |
|
|
CVE-2014-3610 |
The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3611 |
Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3613 |
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-3616 |
nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks. |
nginx HTTP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_server_nginx |
|
|
CVE-2014-3617 |
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-3618 |
Heap-based buffer overflow in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted email header, related to "unbalanced quotes." |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-3620 |
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-3629 |
XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message. |
Apache Qpid vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_qpidver |
|
|
CVE-2014-3631 |
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3645 |
arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3646 |
arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3647 |
arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3660 |
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack. |
VMWare ESX vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-3661 |
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3662 |
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3663 |
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3664 |
Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3666 |
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3667 |
Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3668 |
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3669 |
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3670 |
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3672 |
The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-3673 |
The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3680 |
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3681 |
Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Jenkins vulnerabilities
|
web_prog_jsp_jenkinsver |
|
|
CVE-2014-3687 |
The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3688 |
The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3690 |
arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3693 |
Use-after-free vulnerability in the socket manager of Impress Remote in LibreOffice 4.x before 4.2.7 and 4.3.x before 4.3.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to TCP port 1599. |
OpenOffice vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libreoffice |
|
|
CVE-2014-3694 |
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
Gaim vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gaim |
|
|
CVE-2014-3695 |
markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. |
Gaim vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gaim |
|
|
CVE-2014-3696 |
nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. |
Gaim vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gaim |
|
|
CVE-2014-3697 |
Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. |
Gaim vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gaim |
|
|
CVE-2014-3698 |
The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. |
Gaim vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gaim |
|
|
CVE-2014-3704 |
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-3707 |
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-3710 |
The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-3730 |
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." |
Django vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_djangover |
|
|
CVE-2014-3791 |
Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 6.8 allows remote attackers to execute arbitrary code via a long string in a cookie UserID parameter to vfolder.ghp. |
Easy File Sharing Web Server
|
web_server_efswsver |
|
|
CVE-2014-3793 |
VMware Tools in VMware Workstation 10.x before 10.0.2, VMware Player 6.x before 6.0.2, VMware Fusion 6.x before 6.0.3, and VMware ESXi 5.0 through 5.5, when a Windows 8.1 guest OS is used, allows guest OS users to gain guest OS privileges or cause a denial of service (kernel NULL pointer dereference and guest OS crash) via unspecified vectors. |
VMWare ESX vulnerabilities
VMware vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver |
|
|
CVE-2014-3838 |
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts. |
OwnCloud vulnerabilities
|
misc_owncloudver |
|
|
CVE-2014-3839 |
|
OwnCloud vulnerabilities
|
misc_owncloudver |
|
|
CVE-2014-3859 |
libdns in ISC BIND 9.10.0 before P2 does not properly handle EDNS options, which allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted packet, as demonstrated by an attack against named, dig, or delv. |
DNS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
dns_bindver |
|
|
CVE-2014-3885 |
Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924. |
Webmin vulnerabilities
|
web_tool_webminver |
|
|
CVE-2014-3886 |
Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when referrer checking is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924. |
Webmin vulnerabilities
|
web_tool_webminver |
|
|
CVE-2014-3917 |
kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3924 |
Multiple cross-site scripting (XSS) vulnerabilities in Webmin before 1.690 and Usermin before 1.600 allow remote attackers to inject arbitrary web script or HTML via vectors related to popup windows. |
Webmin vulnerabilities
|
web_tool_webminver |
|
|
CVE-2014-3931 |
fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote attackers to cause an arbitrary memory write and memory corruption. |
Multi Router Looking Glass vulnerabilities
|
net_mrlgbo |
|
|
CVE-2014-3940 |
The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-3943 |
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters. |
TYPO3 vulnerabilities
|
web_prog_php_typo3ver |
|
|
CVE-2014-3956 |
The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has arguments in the wrong order, and consequently skips setting expected FD_CLOEXEC flags, which allows local users to access unintended high-numbered file descriptors via a custom mail-delivery program. |
Sendmail vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_smtp_sendmail |
|
|
CVE-2014-3966 |
Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-3969 |
Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-3974 |
Cross-site scripting (XSS) vulnerability in filemanager.php in AuraCMS 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the viewdir parameter. |
AuraCMS vulnerabilities
|
web_prog_php_auracms |
|
|
CVE-2014-3975 |
Absolute path traversal vulnerability in filemanager.php in AuraCMS 3.0 allows remote attackers to list a directory via a full pathname in the viewdir parameter. |
AuraCMS vulnerabilities
|
web_prog_php_auracms |
|
|
CVE-2014-3981 |
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-4002 |
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-4014 |
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4020 |
The dissect_frame function in epan/dissectors/packet-frame.c in the frame metadissector in Wireshark 1.10.x before 1.10.8 interprets a negative integer as a length value even though it was intended to represent an error condition, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-4021 |
Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-4022 |
The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running on an ARM platform, does not properly initialize the structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-4027 |
The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4044 |
OpenAFS 1.6.8 does not properly clear the fields in the host structure, which allows remote attackers to cause a denial of service (uninitialized memory access and crash) via unspecified vectors related to TMAY requests. |
OpenAFS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_openafsver |
|
|
CVE-2014-4045 |
The Publish/Subscribe Framework in the PJSIP channel driver in Asterisk Open Source 12.x before 12.3.1, when sub_min_expiry is set to zero, allows remote attackers to cause a denial of service (assertion failure and crash) via an unsubscribe request when not subscribed to the device. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-4046 |
Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-4047 |
Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of service (connection consumption) via a large number of (1) inactive or (2) incomplete HTTP connections. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-4048 |
The PJSIP Channel Driver in Asterisk Open Source before 12.3.1 allows remote attackers to cause a denial of service (deadlock) by terminating a subscription request before it is complete, which triggers a SIP transaction timeout. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-4049 |
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-4050 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2796, CVE-2014-2808, CVE-2014-2825, CVE-2014-4055, and CVE-2014-4067. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4051 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2784. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4052 |
Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v9 |
|
|
CVE-2014-4055 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2796, CVE-2014-2808, CVE-2014-2825, CVE-2014-4050, and CVE-2014-4067. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4056 |
Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4057 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, and CVE-2014-2823. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4058 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-4059 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4060 |
Use-after-free vulnerability in MCPlayer.dll in Microsoft Windows Media Center TV Pack for Windows Vista, Windows 7 SP1, and Windows Media Center for Windows 8 and 8.1 allows remote attackers to execute arbitrary code via a crafted Office document that triggers deletion of a CSyncBasePlayer object, aka "CSyncBasePlayer Use After Free Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_mediacenter14043 |
|
|
CVE-2014-4061 |
Microsoft SQL Server 2008 SP3, 2008 R2 SP2, and 2012 SP1 does not properly control use of stack memory for processing of T-SQL batch commands, which allows remote authenticated users to cause a denial of service (daemon hang) via a crafted T-SQL statement, aka "Microsoft SQL Server Stack Overrun Vulnerability." |
Microsoft SQL Server
Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql |
|
|
CVE-2014-4062 |
Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, and 3.5.1 does not properly implement the ASLR protection mechanism, which allows remote attackers to obtain sensitive address information via a crafted web site, aka ".NET ASLR Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnetms14046 |
|
|
CVE-2014-4063 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2774, CVE-2014-2820, CVE-2014-2826, and CVE-2014-2827. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4064 |
The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly handle use of the paged kernel pool for allocation of uninitialized memory, which allows local users to obtain sensitive information about kernel addresses via a crafted application, aka "Windows Kernel Pool Allocation Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_kernelpool14045 |
|
|
CVE-2014-4065 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4066 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014-2790, CVE-2014-2802, and CVE-2014-2806. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4067 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2796, CVE-2014-2808, CVE-2014-2825, CVE-2014-4050, and CVE-2014-4055. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4068 |
The Response Group Service in Microsoft Lync Server 2010 and 2013 and the Core Components in Lync Server 2013 do not properly handle exceptions, which allows remote attackers to cause a denial of service (daemon hang) via a crafted call, aka "Lync Denial of Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14055lynccore
win_patch_ms14055lyncrg |
|
|
CVE-2014-4070 |
Cross-site scripting (XSS) vulnerability in the Web Components Server in Microsoft Lync Server 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Lync XSS Information Disclosure Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14055lyncweb |
|
|
CVE-2014-4071 |
The Server in Microsoft Lync Server 2013 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon hang) via a crafted request, aka "Lync Denial of Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14055lync |
|
|
CVE-2014-4072 |
Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly use a hash table for request data, which allows remote attackers to cause a denial of service (resource consumption and ASP.NET performance degradation) via crafted requests, aka ".NET Framework Denial of Service Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14053 |
|
|
CVE-2014-4073 |
Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 processes unverified data during interaction with the ClickOnce installer, which allows remote attackers to gain privileges via vectors involving Internet Explorer, aka ".NET ClickOnce Elevation of Privilege Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14057clickonce |
|
|
CVE-2014-4074 |
The Task Scheduler in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via an application that schedules a crafted task, aka "Task Scheduler Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_task14054 |
|
|
CVE-2014-4075 |
Cross-site scripting (XSS) vulnerability in System.Web.Mvc.dll in Microsoft ASP.NET Model View Controller (MVC) 2.0 through 5.1 allows remote attackers to inject arbitrary web script or HTML via a crafted web page, aka "MVC XSS Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_patch_aspnetmvc2
win_patch_aspnetmvc3
win_patch_aspnetmvc4
win_patch_aspnetmvc5
win_patch_aspnetmvc51 |
|
|
CVE-2014-4076 |
Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_tcpip14070 |
|
|
CVE-2014-4077 |
Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, and Office 2007 SP3, when IMJPDCT.EXE (aka IME for Japanese) is installed, allow remote attackers to bypass a sandbox protection mechanism via a crafted PDF document, aka "Microsoft IME (Japanese) Elevation of Privilege Vulnerability," as exploited in the wild in 2014. |
Windows updates needed
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_imej
win_patch_imejoffice14078 |
|
|
CVE-2014-4078 |
The IP Security feature in Microsoft Internet Information Services (IIS) 8.0 and 8.5 does not properly process wildcard allow and deny rules for domains within the "IP Address and Domain Restrictions" list, which makes it easier for remote attackers to bypass an intended rule set via an HTTP request, aka "IIS Security Feature Bypass Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_iisfilterbypass |
|
|
CVE-2014-4079 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4080 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4089, CVE-2014-4091, and CVE-2014-4102. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4081 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4082 |
Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4083 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4084 |
Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4093. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4085 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4086 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-4087 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4095, CVE-2014-4096, and CVE-2014-4101. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4088 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4089 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014-4091, and CVE-2014-4102. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4090 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4091 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014-4089, and CVE-2014-4102. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4092 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4098. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4093 |
Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4084. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10 |
|
|
CVE-2014-4094 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4095 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014-4096, and CVE-2014-4101. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4096 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014-4095, and CVE-2014-4101. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4097 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4098 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4092. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4099 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-4100 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4101 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014-4095, and CVE-2014-4096. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4102 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014-4089, and CVE-2014-4091. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4103 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4104 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4105 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4106 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4107 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4108 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4109 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4110, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4110 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4111. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4111 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4110. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4113 |
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14058 |
|
|
CVE-2014-4114 |
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a "Sandworm" attack in June through October 2014, aka "Windows OLE Remote Code Execution Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14060 |
|
|
CVE-2014-4115 |
fastfat.sys (aka the FASTFAT driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 does not properly allocate memory, which allows physically proximate attackers to execute arbitrary code or cause a denial of service (reserved-memory write) by connecting a crafted USB device, aka "Microsoft Windows Disk Partition Driver Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14063 |
|
|
CVE-2014-4116 |
Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2010 SP2 allows remote authenticated users to inject arbitrary web script or HTML via a modified list, aka "SharePoint Elevation of Privilege Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_sharepointsvcs14073 |
|
|
CVE-2014-4117 |
Microsoft Office 2007 SP3, Word 2007 SP3, Office 2010 SP1 and SP2, Word 2010 SP1 and SP2, Office for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP1 and SP2, and Word Web Apps 2010 Gold, SP1, and SP2 allow remote attackers to execute arbitrary code via crafted properties in a Word document, aka "Microsoft Word File Format Vulnerability." |
Microsoft Office vulnerabilities
Microsoft Office Web Apps vulnerabilities
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_office2007compat
win_patch_officeweb201014061
win_patch_sharepoint2010ms14061
win_patch_word2007
win_patch_word2010 |
|
|
CVE-2014-4118 |
XML Core Services (aka MSXML) 3.0 in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (system-state corruption) via crafted XML content, aka "MSXML Remote Code Execution Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_xmlcorever14067 |
|
|
CVE-2014-4121 |
Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly parse internationalized resource identifiers, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted request to a .NET web application, aka ".NET Framework Remote Code Execution Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14057iri |
|
|
CVE-2014-4122 |
Microsoft .NET Framework 2.0 SP2, 3.5, and 3.5.1 omits the ASLR protection mechanism, which allows remote attackers to obtain potentially sensitive information about memory addresses by leveraging the predictability of an executable image's location, aka ".NET ASLR Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14057aslr |
|
|
CVE-2014-4123 |
Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," as exploited in the wild in October 2014, a different vulnerability than CVE-2014-4124. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4124 |
Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-4123. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4126 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-4127 |
Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4128 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4129 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-4130 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4132 and CVE-2014-4138. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4132 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4130 and CVE-2014-4138. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4133 |
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4137. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7 |
|
|
CVE-2014-4134 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-4137 |
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4133. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7 |
|
|
CVE-2014-4138 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4130 and CVE-2014-4132. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4140 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-4141 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4143 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6341. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-4145 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-8985. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-4148 |
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted TrueType font, as exploited in the wild in October 2014, aka "TrueType Font Parsing Remote Code Execution Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14058 |
|
|
CVE-2014-4149 |
Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly perform TypeFilterLevel checks, which allows remote attackers to execute arbitrary code via crafted data to a .NET Remoting endpoint, aka "TypeFilterLevel Vulnerability." |
Microsoft NET Framework
Note: Authentication is required to detect this vulnerability |
win_dotnet14072 |
|
|
CVE-2014-4166 |
Cross-site scripting (XSS) vulnerability in the song history in SHOUTcast DNAS 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the mp3 title field. |
shoutcast vulnerabilities
|
misc_shoutcast |
|
|
CVE-2014-4171 |
mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4172 |
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-4174 |
wiretap/libpcap.c in the libpcap file parser in Wireshark 1.10.x before 1.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted packet-trace file that includes a large packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-4201 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect availability via vectors related to WLS - Web Services. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4202 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect availability via vectors related to WLS - Web Services. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4207 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4208 |
Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4209 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4210 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4214 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRSP. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4216 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-4217 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, and 12.1.1.0 allows remote attackers to affect integrity via vectors related to WLS - Web Services. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4218 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4219 |
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4220 |
Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4221 |
Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4222 |
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0 and 12.1.2.0 allows remote authenticated users to affect confidentiality via vectors related to plugin 1.1. |
Oracle vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver |
|
|
CVE-2014-4223 |
Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-2483. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-4227 |
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4228 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via vectors related to Graphics driver (WDDM) for Windows guests. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-4233 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRREP. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4236 |
Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 11.2.0.4 and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4237 |
Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 11.2.0.4 and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4238 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4240 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows local users to affect confidentiality and integrity via vectors related to SRREP. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4241 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect integrity via vectors related to WLS - Web Services. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4242 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect integrity via unknown vectors related to Console. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4243 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to ENFED. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4244 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. |
IBM Rational AppScan vulnerabilities
Java Web Start
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Cisco FireSIGHT vulnerabilities
Lotus Domino HTTP vulnerability
McAfee ePolicy Orchestrator
Note: Authentication is required to detect this vulnerability |
misc_ibmappscanver
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver
web_prog_firesightver
web_server_lotus_domino
web_tool_epolicyver |
|
|
CVE-2014-4245 |
Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4247 |
Unspecified vulnerability in Oracle Java SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-4251 |
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0 and 12.1.2.0 allows remote authenticated users to affect integrity via vectors related to plugin 1.1. |
Oracle vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver |
|
|
CVE-2014-4252 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4253 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect availability via vectors related to WebLogic Server JVM. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4254 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Web Services. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4255 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Security and Policy. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4256 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality and integrity via vectors related to WLS - Deployment. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4258 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4260 |
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4261 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2487. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-4262 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4263 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement." |
IBM Rational AppScan vulnerabilities
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Cisco FireSIGHT vulnerabilities
Lotus Domino HTTP vulnerability
McAfee ePolicy Orchestrator
Note: Authentication is required to detect this vulnerability |
misc_ibmappscanver
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver
web_prog_firesightver
web_server_lotus_domino
web_tool_epolicyver |
|
|
CVE-2014-4264 |
Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect availability via unknown vectors related to Security. |
Java Plugin vulnerability
Cisco FireSIGHT vulnerabilities
McAfee ePolicy Orchestrator
Note: Authentication is required to detect this vulnerability |
web_client_jre
web_dev_jdk
web_prog_firesightver
web_tool_epolicyver |
|
|
CVE-2014-4265 |
Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4266 |
Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4267 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-4268 |
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing. |
Java Web Start
Java Plugin vulnerability
Lotus Domino HTTP vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_server_lotus_domino |
|
|
CVE-2014-4274 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to SERVER:MyISAM. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4287 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:CHARACTER SETS. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-4288 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-4289 |
Unspecified vulnerability in the JDBC component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2014-6544. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4290 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4310, CVE-2014-6547, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4291 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4310, CVE-2014-6547, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4292 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4310, CVE-2014-6547, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4293 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4296, CVE-2014-4297, CVE-2014-4310, CVE-2014-6547, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4294 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4295, CVE-2014-6538, and CVE-2014-6563. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4295 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4294, CVE-2014-6538, and CVE-2014-6563. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4296 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4297, CVE-2014-4310, CVE-2014-6547, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4297 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4310, CVE-2014-6547, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4298 |
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4299, CVE-2014-4300, CVE-2014-6452, CVE-2014-6454, and CVE-2014-6542. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4299 |
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4300, CVE-2014-6452, CVE-2014-6454, and CVE-2014-6542. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4300 |
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-6452, CVE-2014-6454, and CVE-2014-6542. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4301 |
Multiple cross-site scripting (XSS) vulnerabilities in the respond_error function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) resources.js or (2) resources.css in ajenti:static/, related to the traceback page. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4310 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-6547, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-4341 |
MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-4342 |
MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-4343 |
Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-4344 |
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-4345 |
Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) 1.6.x through 1.11.x before 1.11.6 and 1.12.x before 1.12.2 allows remote authenticated users to cause a denial of service (buffer overflow) or possibly execute arbitrary code via a series of "cpw -keepold" commands. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-4348 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-4349 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1.x before 4.1.14.1 and 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name that is improperly handled after a (1) hide or (2) unhide action. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-4350 |
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4352 |
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4353 |
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4354 |
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4356 |
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4357 |
Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4361 |
The Home & Lock Screen subsystem in Apple iOS before 8 does not properly restrict the private API for app prominence, which allows attackers to determine the frontmost app by leveraging access to a crafted background app. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4362 |
The Sandbox Profiles implementation in Apple iOS before 8 does not properly restrict the third-party app sandbox profile, which allows attackers to obtain sensitive Apple ID information via a crafted app. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4363 |
Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which allows remote attackers to obtain sensitive information via (1) an http web site, (2) an https web site with an unacceptable X.509 certificate, or (3) an IFRAME element. |
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4364 |
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4366 |
Mail in Apple iOS before 8 does not prevent sending a LOGIN command to a LOGINDISABLED IMAP server, which allows remote attackers to obtain sensitive cleartext information by sniffing the network. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4367 |
Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physically proximate attackers to launch unintended calls by speaking a telephone number. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4368 |
The Accessibility subsystem in Apple iOS before 8 allows attackers to interfere with screen locking via vectors related to AssistiveTouch events. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4369 |
The IOAcceleratorFamily API implementation in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device crash) via an application that uses crafted arguments. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4371 |
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4419, CVE-2014-4420, and CVE-2014-4421. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4372 |
syslogd in the syslog subsystem in Apple iOS before 8 and Apple TV before 7 allows local users to change the permissions of arbitrary files via a symlink attack on an unspecified file. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4373 |
The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted application. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4374 |
NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4375 |
Double free vulnerability in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (device crash) via vectors related to Mach ports. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4376 |
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4377 |
Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4378 |
CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4379 |
An unspecified IOHIDFamily function in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking to prevent reading of kernel pointers, which allows attackers to bypass the ASLR protection mechanism via a crafted application. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4380 |
The IOHIDFamily kernel extension in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code in the kernel's context via a crafted application. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4381 |
Libnotify in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code as root via a crafted application. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4383 |
The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device's update status via a crafted Last-Modified HTTP response header. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4384 |
Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local users to install unverified apps by triggering code-signature validation of an unintended bundle. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4386 |
Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain privileges and install unverified apps by leveraging /tmp write access. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4388 |
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4418. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4389 |
Integer overflow in IOKit in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted API arguments. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4390 |
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4393 |
Buffer overflow in the shader compiler in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GLSL shader. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4394 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4395 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4396 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4397 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4398 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4399 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4400 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4401, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4401 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4416. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4402 |
An unspecified IOAcceleratorFamily function in Apple OS X before 10.9.5 lacks proper bounds checking on read operations, which allows attackers to execute arbitrary code in a privileged context via a crafted application. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4403 |
The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4404 |
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4405 |
IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted key-mapping properties. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4406 |
Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Apple OS X Server vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_server_version |
|
|
CVE-2014-4407 |
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4408 |
The rt_setgate function in the kernel in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (out-of-bounds read and device crash) via a crafted call. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4409 |
WebKit in Apple iOS before 8 makes it easier for remote attackers to track users during private browsing via a crafted web site that reads HTML5 application-cache data that had been stored during normal browsing. |
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4410 |
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4411 |
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4412 |
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4413 |
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4414 |
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4415 |
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4416 |
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4401. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4418 |
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4388. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4419 |
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4420, and CVE-2014-4421. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4420 |
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4421. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4421 |
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4420. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4422 |
The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, which allows attackers to bypass certain kernel-hardening protection mechanisms by using a user-space process to observe data related to the random numbers. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4423 |
The Accounts subsystem in Apple iOS before 8 allows attackers to bypass a sandbox protection mechanism and obtain an active iCloud account's Apple ID and metadata via a crafted application. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4424 |
SQL injection vulnerability in Wiki Server in CoreCollaboration in Apple OS X Server before 2.2.3 and 3.x before 3.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
Apple OS X Server vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_server_version |
|
|
CVE-2014-4426 |
AFP File Server in Apple OS X before 10.10 allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4428 |
Bluetooth in Apple OS X before 10.10 does not require encryption for HID Low Energy devices, which allows remote attackers to spoof a device by leveraging previous pairing. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4446 |
Mail Service in Apple OS X Server before 4.0 does not enforce SACL changes until after a service restart, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a change made by an administrator. |
Apple OS X Server vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_server_version |
|
|
CVE-2014-4447 |
Profile Manager in Apple OS X Server before 4.0 allows local users to discover cleartext passwords by reading a file after a (1) profile setup or (2) profile edit occurs. |
Apple OS X Server vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_server_version |
|
|
CVE-2014-4448 |
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4449 |
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4450 |
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4451 |
Apple iOS before 8.1.1 does not properly enforce the failed-passcode limit, which makes it easier for physically proximate attackers to bypass the lock-screen protection mechanism via a series of guesses. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4452 |
WebKit, as used in Apple iOS before 8.1.1 and Apple TV before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4462. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4453 |
Apple iOS before 8.1.1 and OS X before 10.10.1 include location data during establishment of a Spotlight Suggestions server connection by Spotlight or Safari, which might allow remote attackers to obtain sensitive information via unspecified vectors. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4455 |
dyld in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly handle overlapping segments in Mach-O executable files, which allows local users to bypass intended code-signing restrictions via a crafted file. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4457 |
The Sandbox Profiles subsystem in Apple iOS before 8.1.1 does not properly implement the debugserver sandbox, which allows attackers to bypass intended binary-execution restrictions via a crafted application that is run during a time period when debugging is not enabled. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4458 |
The "System Profiler About This Mac" component in Apple OS X before 10.10.1 includes extraneous cookie data in system-model requests, which might allow remote attackers to obtain sensitive information via unspecified vectors. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4459 |
Use-after-free vulnerability in WebKit, as used in Apple OS X before 10.10.1, allows remote attackers to execute arbitrary code via crafted page objects in an HTML document. |
iTunes vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_macosx_version
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4460 |
CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1 does not properly clear the browsing cache upon a transition out of private-browsing mode, which makes it easier for physically proximate attackers to obtain sensitive information by reading cache files. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4461 |
The kernel in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly validate IOSharedDataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted application. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4462 |
WebKit, as used in Apple iOS before 8.1.1 and Apple TV before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4452. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4463 |
Apple iOS before 8.1.1 allows physically proximate attackers to bypass the lock-screen protection mechanism, and view or transmit a Photo Library photo, via the FaceTime "Leave a Message" feature. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4465 |
WebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1 allows remote attackers to bypass the Same Origin Policy via crafted Cascading Style Sheets (CSS) token sequences within an SVG file in the SRC attribute of an IMG element. |
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4466 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4467 |
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4468 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4469 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4470 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4471 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4472 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4473 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4474 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4475 |
WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1. |
iTunes vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4476 |
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4477 and CVE-2014-4479. |
iTunes vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_macosx_version
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4477 |
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4476 and CVE-2014-4479. |
iTunes vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_macosx_version
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4479 |
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4476 and CVE-2014-4477. |
iTunes vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Safari vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_macosx_version
misc_mobile_iosver
web_client_safari |
|
|
CVE-2014-4480 |
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4481 |
Integer overflow in CoreGraphics in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4483 |
Buffer overflow in FontParser in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted font file in a PDF document. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4484 |
FontParser in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .dfont file. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4485 |
Buffer overflow in the XML parser in Foundation in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XML document. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4486 |
IOAcceleratorFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly handle resource lists and IOService userclient types, which allows attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via a crafted app. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4487 |
Buffer overflow in IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows attackers to execute arbitrary code in a privileged context via a crafted app. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4488 |
IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly validate resource-queue metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted app. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4489 |
IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly initialize event queues, which allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4491 |
The extension APIs in the kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 do not prevent the presence of addresses within an OSBundleMachOHeaders key in a response, which makes it easier for attackers to bypass the ASLR protection mechanism via a crafted app. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4492 |
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4493 |
The app-installation functionality in MobileInstallation in Apple iOS before 8.1.3 allows attackers to obtain control of the local app container by leveraging access to an enterprise distribution certificate for signing a crafted app. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4494 |
Springboard in Apple iOS before 8.1.3 does not properly validate signatures when determining whether to solicit an app trust decision from the user, which allows attackers to bypass intended first-launch restrictions by leveraging access to an enterprise distribution certificate for signing a crafted app. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-4495 |
The kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not enforce the read-only attribute of a shared memory segment during use of a custom cache mode, which allows attackers to bypass intended access restrictions via a crafted app. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4496 |
The mach_port_kobject interface in the kernel in Apple iOS before 8.1.3 and Apple TV before 7.0.3 does not properly restrict kernel-address and heap-permutation information, which makes it easier for attackers to bypass the ASLR protection mechanism via a crafted app. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-4497 |
Integer signedness error in IOBluetoothFamily in the Bluetooth implementation in Apple OS X before 10.10 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (write to kernel memory) via a crafted app. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4498 |
The CPU Software in Apple OS X before 10.10.2 allows physically proximate attackers to modify firmware during the EFI update process by inserting a Thunderbolt device with crafted code in an Option ROM, aka the "Thunderstrike" issue. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4499 |
The App Store process in CommerceKit Framework in Apple OS X before 10.10.2 places Apple ID credentials in App Store logs, which allows local users to obtain sensitive information by reading a file. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-4508 |
arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4511 |
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/. |
vulnerable web program
|
web_prog_cgi_gitlistblame |
|
|
CVE-2014-4608 |
Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4609 |
Integer overflow in the get_len function in libavutil/lzo.c in Libav before 0.8.13, 9.x before 9.14, and 10.x before 10.2 allows remote attackers to execute arbitrary code via a crafted Literal Run. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-4610 |
Integer overflow in the get_len function in libavutil/lzo.c in FFmpeg before 0.10.14, 1.1.x before 1.1.12, 1.2.x before 1.2.7, 2.0.x before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.4 allows remote attackers to execute arbitrary code via a crafted Literal Run. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-4611 |
Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715. |
Horde Groupware vulnerabilities
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_web_hordegroupware
misc_linuxkernel |
|
|
CVE-2014-4612 |
Cross-site scripting (XSS) vulnerability in the keywords manager (keywordmgr.php) in Coppermine Photo Gallery before 1.5.27 and 1.6.x before 1.6.01 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Coppermine Photo Gallery vulnerabilities
|
web_prog_php_cpgver |
|
|
CVE-2014-4617 |
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. |
GnuPG vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnupg
misc_gnupgsmime |
|
|
CVE-2014-4643 |
Multiple heap-based buffer overflows in the client in Core FTP LE 2.2 build 1798 allow remote FTP servers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string in a reply to a (1) USER, (2) PASS, (3) PASV, (4) SYST, (5) PWD, or (6) CDUP command. |
Core FTP vulnerabilities
Note: Authentication is required to detect this vulnerability |
ftp_coreftpclient |
|
|
CVE-2014-4650 |
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. |
Python vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_python |
|
|
CVE-2014-4652 |
Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4653 |
sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4654 |
The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4655 |
The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4656 |
Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4657 |
The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. |
Ansible vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_ansiblever |
|
|
CVE-2014-4658 |
The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file. |
Ansible vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_ansiblever |
|
|
CVE-2014-4659 |
Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. |
Ansible vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_ansiblever |
|
|
CVE-2014-4660 |
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format. |
Ansible vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_ansiblever |
|
|
CVE-2014-4667 |
The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4670 |
Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-4671 |
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. |
Flash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie |
|
|
CVE-2014-4678 |
The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657. |
Ansible vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_ansiblever |
|
|
CVE-2014-4679 |
|
Wing FTP vulnerabilities
|
ftp_wingftpver |
|
|
CVE-2014-4680 |
|
Wing FTP vulnerabilities
|
ftp_wingftpver |
|
|
CVE-2014-4681 |
|
Wing FTP vulnerabilities
|
ftp_wingftpver |
|
|
CVE-2014-4687 |
Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the starttime0 parameter to firewall_schedule.php, (2) the rssfeed parameter to rss.widget.php, (3) the servicestatusfilter parameter to services_status.widget.php, (4) the txtRecallBuffer parameter to exec.php, or (5) the HTTP Referer header to log.widget.php. |
pfSense vulnerabilities
|
net_pfsense |
|
|
CVE-2014-4688 |
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php. |
pfSense vulnerabilities
|
net_pfsense |
|
|
CVE-2014-4689 |
Absolute path traversal vulnerability in pkg_edit.php in pfSense before 2.1.4 allows remote attackers to read arbitrary XML files via a full pathname in the xml parameter. |
pfSense vulnerabilities
|
net_pfsense |
|
|
CVE-2014-4690 |
Multiple directory traversal vulnerabilities in pfSense before 2.1.4 allow (1) remote attackers to read arbitrary .info files via a crafted path in the pkg parameter to pkg_mgr_install.php and allow (2) remote authenticated users to read arbitrary files via the downloadbackup parameter to system_firmware_restorefullbackup.php. |
pfSense vulnerabilities
|
net_pfsense |
|
|
CVE-2014-4691 |
Session fixation vulnerability in pfSense before 2.1.4 allows remote attackers to hijack web sessions via a firewall login cookie. |
pfSense vulnerabilities
|
net_pfsense |
|
|
CVE-2014-4692 |
pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
pfSense vulnerabilities
|
net_pfsense |
|
|
CVE-2014-4698 |
Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-4699 |
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4715 |
Yann Collet LZ4 before r119, when used on certain 32-bit platforms that allocate memory beyond 0x80000000, does not properly detect integer overflows, which allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run, a different vulnerability than CVE-2014-4611. |
Horde Groupware vulnerabilities
|
mail_web_hordegroupware |
|
|
CVE-2014-4721 |
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php. |
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_version |
|
|
CVE-2014-4742 |
Cross-site scripting (XSS) vulnerability in system/class_link.php in the System module (module_system) in Kajona before 4.5 allows remote attackers to inject arbitrary web script or HTML via the systemid parameter in a mediaFolder action to index.php. |
Kajona vulnerabilities
|
web_prog_php_kajonaver |
|
|
CVE-2014-4743 |
Multiple cross-site scripting (XSS) vulnerabilities in (1) search_ajax.tpl and (2) search_ajax_small.tpl in templates/default/tpl/module_search/ in the Search module (module_search) in Kajona before 4.5 allow remote attackers to inject arbitrary web script or HTML via the search parameter. |
Kajona vulnerabilities
|
web_prog_php_kajonaver |
|
|
CVE-2014-4747 |
The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows physically proximate attackers to discover a meeting password hash by leveraging access to an unattended workstation to read HTML source code within a victim's browser. |
Lotus Sametime vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_server_lotus_sametimecliver |
|
|
CVE-2014-4748 |
Cross-site scripting (XSS) vulnerability in the Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
Lotus Sametime vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_server_lotus_sametimecliver |
|
|
CVE-2014-4764 |
IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.3, when Load Balancer for IPv4 Dispatcher is enabled, allows remote attackers to cause a denial of service (Load Balancer crash) via unspecified vectors. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-4766 |
IBM Sametime Classic Meeting Server 8.0.x and 8.5.x allows remote attackers to obtain sensitive information by reading an exported Record and Playback (RAP) file. |
Lotus Sametime vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_server_lotus_sametimecliver |
|
|
CVE-2014-4767 |
IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature installation, which allows remote authenticated users to execute arbitrary code via unspecified vectors. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-4770 |
Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated administrators to inject arbitrary web script or HTML via a crafted URL. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-4805 |
IBM DB2 10.5 before FP4 on Linux and AIX creates temporary files during CDE table LOAD operations, which allows local users to obtain sensitive information by reading a file while a LOAD is occurring. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-4806 |
The installation process in IBM Security AppScan Enterprise 8.x before 8.6.0.2 iFix 003, 8.7.x before 8.7.0.1 iFix 003, 8.8.x before 8.8.0.1 iFix 002, and 9.0.x before 9.0.0.1 iFix 001 on Linux places a cleartext password in a temporary file, which allows local users to obtain sensitive information by reading this file. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscanentver |
|
|
CVE-2014-4812 |
The installer in IBM Security AppScan Source 8.x and 9.x through 9.0.1 has an open network port for a debug service, which allows remote attackers to obtain sensitive information by connecting to this port. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscansourcever |
|
|
CVE-2014-4816 |
Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-4817 |
The server in IBM Tivoli Storage Manager (TSM) 5.x and 6.x before 6.3.5.10 and 7.x before 7.1.1.100 allows remote attackers to bypass intended access restrictions and replace file backups by using a certain backup option in conjunction with a filename that matches a previously used filename. |
Tivoli Storage Manager
|
misc_tivolicategory_storagever |
|
|
CVE-2014-4853 |
Cross-site scripting (XSS) vulnerability in odm-init.php in OpenDocMan before 1.2.7.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name of an uploaded file. |
OpenDocMan vulnerabilities
|
web_prog_php_opendocmanver |
|
|
CVE-2014-4928 |
SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter. |
Invision Power Board
|
web_prog_php_ipbversion |
|
|
CVE-2014-4929 |
Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php. |
OwnCloud vulnerabilities
|
misc_owncloudver |
|
|
CVE-2014-4931 |
|
Symfony vulnerabilities
|
web_prog_php_symfonyver |
|
|
CVE-2014-4943 |
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-4945 |
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view. |
Horde Groupware vulnerabilities
Horde IMP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_web_hordegroupware
mail_web_imp |
|
|
CVE-2014-4946 |
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view. |
Horde Groupware vulnerabilities
Horde IMP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
mail_web_hordegroupware
mail_web_imp |
|
|
CVE-2014-4954 |
Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-4955 |
Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-4966 |
Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. |
Ansible vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_ansiblever |
|
|
CVE-2014-4967 |
Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command. |
Ansible vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_ansiblever |
|
|
CVE-2014-4971 |
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem. |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_msmq14062 |
|
|
CVE-2014-4973 |
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call. |
ESET Antivirus vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_av_eset_es
misc_av_eset_ss |
|
|
CVE-2014-4974 |
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode driver, aka Personal Firewall module before Build 1212 (20140609), as used in multiple ESET products 5.0 through 7.0, allows local users to obtain sensitive information from kernel memory via crafted IOCTL calls. |
ESET Antivirus vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_av_eset_es
misc_av_eset_ss |
|
|
CVE-2014-4975 |
Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. |
Ruby vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_dev_ruby |
|
|
CVE-2014-4979 |
Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom. |
MacOSX vulnerabilities
QuickTime vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_quicktime |
|
|
CVE-2014-4986 |
Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-4987 |
server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-5019 |
The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-5020 |
The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-5021 |
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-5022 |
Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-5025 |
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-5026 |
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-5027 |
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-5029 |
The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. |
CUPS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
printer_cupsversion |
|
|
CVE-2014-5030 |
CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. |
CUPS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
printer_cupsversion |
|
|
CVE-2014-5031 |
The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors. |
CUPS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
printer_cupsversion |
|
|
CVE-2014-5033 |
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions." |
Konqueror vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_konqueror |
|
|
CVE-2014-5045 |
The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-5077 |
The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-5102 |
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. |
vBulletin vulnerabilities
|
web_prog_php_vbulletin |
|
|
CVE-2014-5119 |
Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. |
Cisco voice products
Note: Authentication is required to detect this vulnerability |
net_cisco_cucmver |
|
|
CVE-2014-5120 |
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-5139 |
The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client. |
Cerberus FTP Server
OpenSSL vulnerabilities
WinSCP vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
ftp_cerberusver
misc_openssl
shell_ssh_winscp
web_tool_hpsmh |
|
|
CVE-2014-5146 |
Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa97-hap patch, when using Hardware Assisted Paging (HAP), are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5149. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-5148 |
Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-5149 |
Certain MMU virtualization operations in Xen 4.2.x through 4.4.x, when using shadow pagetables, are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5146. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-5161 |
The dissect_log function in plugins/irda/packet-irda.c in the IrDA dissector in Wireshark 1.10.x before 1.10.9 does not properly strip '\n' characters, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-5162 |
The read_new_line function in wiretap/catapult_dct2000.c in the Catapult DCT2000 dissector in Wireshark 1.10.x before 1.10.9 does not properly strip '\n' and '\r' characters, which allows remote attackers to cause a denial of service (off-by-one buffer underflow and application crash) via a crafted packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-5163 |
The APN decode functionality in (1) epan/dissectors/packet-gtp.c and (2) epan/dissectors/packet-gsm_a_gm.c in the GTP and GSM Management dissectors in Wireshark 1.10.x before 1.10.9 does not completely initialize a certain buffer, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-5164 |
The rlc_decode_li function in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.10.x before 1.10.9 initializes a certain structure member only after this member is used, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-5165 |
The dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.10.x before 1.10.9 does not properly validate padding values, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet. |
Ethereal vulnerabilities
Note: Authentication is required to detect this vulnerability |
net_wireshark |
|
|
CVE-2014-5178 |
Multiple cross-site scripting (XSS) vulnerabilities in Easy File Sharing (EFS) Web Server 6.8 allow remote authenticated users to inject arbitrary web script or HTML via the content parameter when (1) creating a topic or (2) posting an answer. NOTE: some of these details are obtained from third party information. |
Easy File Sharing Web Server
|
web_server_efswsver |
|
|
CVE-2014-5197 |
Directory traversal vulnerability in (1) Splunk Web or the (2) Splunkd HTTP Server in Splunk Enterprise 6.1.x before 6.1.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a URI, related to search ids. |
Splunk vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_splunkver |
|
|
CVE-2014-5198 |
Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.3 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header. |
Splunk vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_splunkver |
|
|
CVE-2014-5203 |
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-5204 |
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-5205 |
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-5212 |
Cross-site scripting (XSS) vulnerability in nds/search/data in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote attackers to inject arbitrary web script or HTML via the rdn parameter. |
Novell eDirectory
Note: Authentication is required to detect this vulnerability |
misc_edirectoryver |
|
|
CVE-2014-5213 |
nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote authenticated users to obtain sensitive information from process memory via a direct request. |
Novell eDirectory
Note: Authentication is required to detect this vulnerability |
misc_edirectoryver |
|
|
CVE-2014-5214 |
nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query parameter containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
NetIQ Access Manager vulnerabilities
|
web_prog_jsp_netiqx509err |
|
|
CVE-2014-5215 |
NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated administrators to discover service-account passwords via a request to (1) roma/jsp/volsc/monitoring/dev_services.jsp or (2) roma/jsp/debug/debug.jsp. |
NetIQ Access Manager vulnerabilities
|
web_prog_jsp_netiqx509err |
|
|
CVE-2014-5216 |
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to nidp/jsp/x509err.jsp, (3) the lang parameter to sslvpn/applet_agent.jsp, or (4) the secureLoggingServersA parameter to roma/system/cntl, a different issue than CVE-2014-9412. |
NetIQ Access Manager vulnerabilities
|
web_prog_jsp_netiqx509err |
|
|
CVE-2014-5217 |
Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via an fw.SetPassword action. |
NetIQ Access Manager vulnerabilities
|
web_prog_jsp_netiqx509err |
|
|
CVE-2014-5240 |
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-5244 |
|
Symfony vulnerabilities
|
web_prog_php_symfonyver |
|
|
CVE-2014-5245 |
|
Symfony vulnerabilities
|
web_prog_php_symfonyver |
|
|
CVE-2014-5247 |
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command. |
Ganeti vulnerabilities
|
misc_ganetiver |
|
|
CVE-2014-5261 |
The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-5262 |
SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
Cacti vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_cacti |
|
|
CVE-2014-5265 |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. |
Drupal vulnerabilities
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal
web_prog_php_wordpress |
|
|
CVE-2014-5266 |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. |
Drupal vulnerabilities
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal
web_prog_php_wordpress |
|
|
CVE-2014-5267 |
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-5270 |
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. |
GnuPG vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnupg |
|
|
CVE-2014-5273 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-5274 |
Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-5277 |
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-5315 |
Cross-site scripting (XSS) vulnerability in the Help page in Adobe Acrobat 9.5.2 and earlier and ColdFusion 8.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat |
|
|
CVE-2014-5322 |
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640. |
FileMaker Pro vulnerabilities
|
web_tool_filemakerprover |
|
|
CVE-2014-5351 |
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-5352 |
The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind. |
Kerberos detected
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg
misc_mobile_iosver |
|
|
CVE-2014-5353 |
The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-5354 |
plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-5400 |
The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file. |
Hospira MedNet vulnerabilities
|
misc_hospiramednet |
|
|
CVE-2014-5401 |
Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system. Hospira has developed a new version of the MedNet software, MedNet 6.1. Existing versions of MedNet can be upgraded to MedNet 6.1. |
Hospira MedNet vulnerabilities
|
misc_hospiramednet |
|
|
CVE-2014-5403 |
Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protection of data transmission from infusion pumps, which allows remote attackers to obtain sensitive information by sniffing the network. |
Hospira MedNet vulnerabilities
|
misc_hospiramednet |
|
|
CVE-2014-5405 |
Hospira MedNet before 6.1 uses a hardcoded cleartext password to control SQL database authorization, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password. |
Hospira MedNet vulnerabilities
|
misc_hospiramednet |
|
|
CVE-2014-5406 |
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459. |
Hospira vulnerabilities
|
misc_hospirapca |
|
|
CVE-2014-5427 |
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read password hashes via a POST request. |
Johnson Controls Metasys vulnerabilities
|
misc_scada_metasyshash |
|
|
CVE-2014-5451 |
Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in MODX Revolution 2.3.1-pl and earlier allows remote attackers to inject arbitrary web script or HTML via the "a" parameter to manager/. NOTE: this issue exists because of a CVE-2014-2080 regression. |
MODx Revolution vulnerabilities
|
web_prog_php_modxrevver |
|
|
CVE-2014-5466 |
Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.7, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Splunk vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_splunkver |
|
|
CVE-2014-5471 |
Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-5472 |
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-6040 |
GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of "0xffff" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8. |
glibc vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_glibcver |
|
|
CVE-2014-6041 |
The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-6061 |
|
Symfony vulnerabilities
|
web_prog_php_symfonyver |
|
|
CVE-2014-6071 |
jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. |
jQuery vulnerabilities
|
web_lib_jquery |
|
|
CVE-2014-6072 |
|
Symfony vulnerabilities
|
web_prog_php_symfonyver |
|
|
CVE-2014-6097 |
IBM DB2 9.7 before FP10 and 9.8 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) via a crafted ALTER TABLE statement. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-6119 |
IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows remote attackers to execute arbitrary code via a crafted executable file in an archive. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscanentver |
|
|
CVE-2014-6121 |
Cross-site scripting (XSS) vulnerability in IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscanentver |
|
|
CVE-2014-6122 |
IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows remote authenticated users to write to arbitrary folders, and consequently execute arbitrary commands, via a modified argument. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscanentver |
|
|
CVE-2014-6123 |
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscansourcever |
|
|
CVE-2014-6135 |
IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows remote attackers to conduct clickjacking attacks via unspecified vectors. |
IBM Rational AppScan vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ibmappscanentver |
|
|
CVE-2014-6159 |
IBM DB2 9.7 before FP10, 9.8 through FP5, 10.1 through FT4, and 10.5 through FP4 on Linux, UNIX, and Windows, when immediate AUTO_REVAL is enabled, allows remote authenticated users to cause a denial of service (daemon crash) via a crafted ALTER TABLE statement. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-6209 |
IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) by specifying an identity column within a crafted ALTER TABLE statement. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-6210 |
IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) by specifying the same column within multiple ALTER TABLE statements. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-6268 |
The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-6269 |
Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 allow remote attackers to cause a denial of service (crash) via a large stream of data, which triggers a buffer overflow and an out-of-bounds read. |
HAProxy vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_haproxyver |
|
|
CVE-2014-6270 |
Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted UDP SNMP request, which triggers a heap-based buffer overflow. |
Squid vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid |
|
|
CVE-2014-6271 |
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. |
VMWare ESX vulnerabilities
Splunk vulnerabilities
Bash vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_splunkver
shell_bash
shell_bashcodeinject
web_prog_firesightver |
|
|
CVE-2014-6277 |
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. |
VMWare ESX vulnerabilities
MacOSX vulnerabilities
Bash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_macosx_version
shell_bash |
|
|
CVE-2014-6278 |
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. |
VMWare ESX vulnerabilities
Bash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
shell_bash |
|
|
CVE-2014-6300 |
Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-6316 |
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-6317 |
Array index error in win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to cause a denial of service (reboot) via a crafted TrueType font, aka "Denial of Service in Windows Kernel Mode Driver Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14079 |
|
|
CVE-2014-6318 |
The audit logon feature in Remote Desktop Protocol (RDP) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly log unauthorized login attempts supplying valid credentials, which makes it easier for remote attackers to bypass intended access restrictions via a series of attempts, aka "Remote Desktop Protocol (RDP) Failure to Audit Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_schannel14074 |
|
|
CVE-2014-6319 |
Outlook Web App (OWA) in Microsoft Exchange Server 2007 SP3, 2010 SP3, and 2013 SP1 and Cumulative Update 6 does not properly validate tokens in requests, which allows remote attackers to spoof the origin of e-mail messages via unspecified vectors, aka "Outlook Web App Token Spoofing Vulnerability." |
Outlook Web Access
Note: Authentication is required to detect this vulnerability |
mail_web_owa14075
mail_web_owamsver |
|
|
CVE-2014-6321 |
Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_schannel14066 |
|
|
CVE-2014-6322 |
The Windows Audio service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted web site, as demonstrated by execution of web script in Internet Explorer, aka "Windows Audio Service Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_audioservice |
|
|
CVE-2014-6323 |
Microsoft Internet Explorer 7 through 11 allows remote attackers to obtain sensitive clipboard information via a crafted web site, aka "Internet Explorer Clipboard Information Disclosure Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6324 |
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability." |
Windows Kerberos vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_kerberosms14068 |
|
|
CVE-2014-6325 |
Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2013 SP1 and Cumulative Update 6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "OWA XSS Vulnerability," a different vulnerability than CVE-2014-6326. |
Outlook Web Access
Note: Authentication is required to detect this vulnerability |
mail_web_owa14075
mail_web_owamsver |
|
|
CVE-2014-6326 |
Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2013 SP1 and Cumulative Update 6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "OWA XSS Vulnerability," a different vulnerability than CVE-2014-6325. |
Outlook Web Access
Note: Authentication is required to detect this vulnerability |
mail_web_owa14075
mail_web_owamsver |
|
|
CVE-2014-6327 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6329 and CVE-2014-6376. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-6328 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6365. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6329 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6376. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-6330 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-6331 |
Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_fds14077 |
|
|
CVE-2014-6332 |
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_olems14064auto |
|
|
CVE-2014-6333 |
Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Double Delete Remote Code Execution Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office2007compat14069
win_patch_word2007
win_patch_wordview2003 |
|
|
CVE-2014-6334 |
Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Bad Index Remote Code Execution Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office2007compat14069
win_patch_word2007
win_patch_wordview2003 |
|
|
CVE-2014-6335 |
Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Invalid Pointer Remote Code Execution Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office2007compat14069
win_patch_word2007
win_patch_wordview2003 |
|
|
CVE-2014-6336 |
Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 6 does not properly validate redirection tokens, which allows remote attackers to redirect users to arbitrary web sites and spoof the origin of e-mail messages via unspecified vectors, aka "Exchange URL Redirection Vulnerability." |
Outlook Web Access
Note: Authentication is required to detect this vulnerability |
mail_web_owa14075
mail_web_owamsver |
|
|
CVE-2014-6337 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-6339 |
Microsoft Internet Explorer 8 and 9 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6340 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6341 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4143. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6342 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6348. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-6343 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-6344 |
Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6345 |
Microsoft Internet Explorer 9 and 10 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v9 |
|
|
CVE-2014-6346 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6347 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-6348 |
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6342. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v9 |
|
|
CVE-2014-6349 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-6350. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-6350 |
Microsoft Internet Explorer 10 and 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-6349. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11 |
|
|
CVE-2014-6351 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6352 |
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document. |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_olems14064 |
|
|
CVE-2014-6353 |
Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6354 |
Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 allows remote attackers to execute arbitrary code. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-6355 |
The Graphics Component in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly process JPEG images, which makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Graphics Component Information Disclosure Vulnerability." |
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ms14085graphics |
|
|
CVE-2014-6356 |
Array index error in Microsoft Word 2007 SP3, Word 2010 SP2, and Office Compatibility Pack SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Invalid Index Remote Code Execution Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office2007compat14081
win_patch_word2010
win_patch_wordview2007 |
|
|
CVE-2014-6357 |
Use-after-free vulnerability in Microsoft Office 2010 SP2, Office 2013 Gold and SP1, Office 2013 RT Gold and SP1, Office for Mac 2011, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 Gold and SP1, and Office Web Apps 2010 SP2 and 2013 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Use After Free Word Remote Code Execution Vulnerability." |
Microsoft Office vulnerabilities
Microsoft Office Web Apps vulnerabilities
Windows updates needed
Note: A valid SNMP read community string is required to detect this vulnerability |
win_patch_office2007compat14081
win_patch_office2011macver
win_patch_officeweb201014081
win_patch_officeweb2013ver
win_patch_sharepoint201014081
win_patch_sharepoint201314081
win_patch_word2010
win_patch_word2013 |
|
|
CVE-2014-6360 |
Microsoft Excel 2007 SP3, Excel 2010 SP2, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Global Free Remote Code Execution in Excel Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_excel2007
win_patch_excel2010
win_patch_excelcnv
win_patch_excelview2007 |
|
|
CVE-2014-6361 |
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 Gold and SP1, Excel 2013 RT Gold and SP1, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Excel Invalid Pointer Remote Code Execution Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_excel2007
win_patch_excel2010
win_patch_excel2013
win_patch_excelcnv |
|
|
CVE-2014-6362 |
Use-after-free vulnerability in Microsoft Office 2007 SP3, 2010 SP2, and 2013 Gold and SP1 allows remote attackers to bypass the ASLR protection mechanism via a crafted document, aka "Microsoft Office Component Use After Free Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office2007ms15013
win_patch_office2010ms15013
win_patch_office2013ms15013 |
|
|
CVE-2014-6363 |
vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 6 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Windows updates needed
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9
win_patch_vbscriptms14084 |
|
|
CVE-2014-6364 |
Use-after-free vulnerability in Microsoft Office 2007 SP3; 2010 SP2; 2013 Gold, SP1, and SP2; and 2013 RT Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability." |
Microsoft Office vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_office200714082
win_patch_office201014082
win_patch_office201314082 |
|
|
CVE-2014-6365 |
Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6328. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6366 |
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7 |
|
|
CVE-2014-6368 |
Microsoft Internet Explorer 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-6369 |
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v9 |
|
|
CVE-2014-6373 |
Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10 |
|
|
CVE-2014-6374 |
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v10
win_patch_ie_v11
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-6375 |
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8 |
|
|
CVE-2014-6376 |
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6329. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v11 |
|
|
CVE-2014-6394 |
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory. |
Apple Xcode vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_xcodeversion |
|
|
CVE-2014-6407 |
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation. |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-6408 |
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image. |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-6452 |
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-6454, and CVE-2014-6542. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6453 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6467, CVE-2014-6545, and CVE-2014-6560. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6454 |
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-6452, and CVE-2014-6542. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6455 |
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6456 |
Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6457 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. |
Java Web Start
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver |
|
|
CVE-2014-6458 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6463 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6464 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6466 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6467 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6545, and CVE-2014-6560. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6468 |
Unspecified vulnerability in Oracle Java SE 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6469 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6474 |
Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:MEMCACHED. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6476 |
Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6478 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect integrity via vectors related to SERVER:SSL:yaSSL. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6484 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to SERVER:DML. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6485 |
Unspecified vulnerability in Oracle Java SE 8u20 and JavaFX 2.2.65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_javafx
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6489 |
Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect integrity and availability via vectors related to SERVER:SP. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6491 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6492 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6493 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6494 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6495 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect availability via vectors related to SERVER:SSL:yaSSL. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6496 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6494. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6499 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to WebLogic Tuxedo Connector. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-6500 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6502 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6503 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6504 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, and 7u67, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Hotspot. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6505 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to SERVER:MEMORY STORAGE ENGINE. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6506 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6507 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6511 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6512 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver |
|
|
CVE-2014-6513 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6514 |
Unspecified vulnerability in the PL/SQL component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6515 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6517 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and Jrockit R27.8.3 and R28.3.3 allows remote attackers to affect confidentiality via vectors related to JAXP. |
Java Web Start
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk
web_dev_jrockitver |
|
|
CVE-2014-6519 |
Unspecified vulnerability in Oracle Java SE 7u67 and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Hotspot. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6520 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:DDL. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6527 |
Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6530 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to CLIENT:MYSQLDUMP. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6531 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6532 |
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6534 |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, and 12.1.3.0 allows remote authenticated users to affect integrity via vectors related to WLS Console. |
WebLogic vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic |
|
|
CVE-2014-6537 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6538 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4294, CVE-2014-4295, and CVE-2014-6563. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6540 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.34, before 4.2.26, and before 4.3.14 allows local users to affect availability via vectors related to Graphics driver (WDDM) for Windows guests. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-6541 |
Unspecified vulnerability in the Recovery component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affect confidentiality via vectors related to DBMS_IR. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6542 |
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-6452, and CVE-2014-6454. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6544 |
Unspecified vulnerability in the JDBC component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2014-4289. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6545 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6467, and CVE-2014-6560. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6546 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6547 |
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4310, and CVE-2014-6477. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6549 |
Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6551 |
Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality via vectors related to CLIENT:MYSQLADMIN. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6555 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6558 |
Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security. |
Java Web Start
Java Plugin vulnerability
Oracle JRockit vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_jrockitver |
|
|
CVE-2014-6559 |
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING. |
MariaDB vulnerabilities
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version |
|
|
CVE-2014-6560 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6467, and CVE-2014-6545. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6562 |
Unspecified vulnerability in Oracle Java SE 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6563 |
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4294, CVE-2014-4295, and CVE-2014-6538. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6564 |
Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB FULLTEXT SEARCH DML. |
MySQL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version |
|
|
CVE-2014-6567 |
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6568 |
Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. |
MariaDB vulnerabilities
MySQL vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mariadbver
database_mysql_version
web_prog_firesightver |
|
|
CVE-2014-6571 |
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2011-1944. |
Oracle vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_httpserver |
|
|
CVE-2014-6577 |
Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6578 |
Unspecified vulnerability in the Workspace Manager component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SDO_TOPO and WMSYS.LT. |
Oracle Database vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_version |
|
|
CVE-2014-6585 |
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6591. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6587 |
Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6588 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-6589 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-6590 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-6591 |
Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_ibmjre
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6593 |
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. |
Java Plugin vulnerability
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_client_ibmjre
web_client_jre
web_dev_jdk
web_dev_webspherever |
|
|
CVE-2014-6595 |
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427. |
Oracle VirtualBox vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_oraclevirtualboxver |
|
|
CVE-2014-6601 |
Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. |
Java Web Start
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
misc_javawebstart
web_client_jre
web_dev_jdk |
|
|
CVE-2014-6609 |
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-6610 |
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dialplan application. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-7141 |
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet. |
Squid vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid |
|
|
CVE-2014-7142 |
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size. |
Squid vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid |
|
|
CVE-2014-7145 |
The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-7146 |
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-7154 |
Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-7155 |
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-7156 |
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permissions for instructions that generate software interrupts, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-7169 |
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. |
VMWare ESX vulnerabilities
Splunk vulnerabilities
Bash vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_splunkver
shell_bash
shell_bashcodeinject
web_prog_firesightver |
|
|
CVE-2014-7185 |
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-7186 |
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue. |
VMWare ESX vulnerabilities
MacOSX vulnerabilities
Bash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_macosx_version
shell_bash |
|
|
CVE-2014-7187 |
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue. |
VMWare ESX vulnerabilities
MacOSX vulnerabilities
Bash vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_macosx_version
shell_bash |
|
|
CVE-2014-7188 |
The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation, which allows local HVM guests to cause a denial of service (host crash) or read data from the hypervisor or other guests via unspecified vectors. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-7199 |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-7216 |
Multiple stack-based buffer overflows in Yahoo! Messenger 11.5.0.228 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) shortcut or (2) title keys in an emoticons.xml file. |
Yahoo Messenger vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_yahoomsgrver |
|
|
CVE-2014-7217 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted ENUM value that is improperly handled during rendering of the (1) table search or (2) table structure page, related to libraries/TableSearch.class.php and libraries/Util.class.php. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-7224 |
A Code Execution vulnerability exists in Android prior to 4.4.0 related to the addJavascriptInterface method and the accessibility and accessibilityTraversal objects, which could let a remote malicious user execute arbitrary code. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-7226 |
The file comment feature in Rejetto HTTP File Server (hfs) 2.3c and earlier allows remote attackers to execute arbitrary code by uploading a file with certain invalid UTF-8 byte sequences that are interpreted as executable macro symbols. |
HFS HTTP File Server vulnerabilities
|
web_server_hfsver |
|
|
CVE-2014-7236 |
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome. |
TWiki vulnerabilities
|
web_prog_cgi_twikiver |
|
|
CVE-2014-7237 |
lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte (%00) in a filename to bin/upload.cgi, as demonstrated using .htaccess to execute arbitrary code. |
TWiki vulnerabilities
|
web_prog_cgi_twikiver |
|
|
CVE-2014-7285 |
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. |
Symantec Web Gateway vulnerability
|
misc_av_symantec_webgatewayver |
|
|
CVE-2014-7286 |
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors. |
Altiris vulnerabilities
|
misc_av_symantec_altirisver |
|
|
CVE-2014-7295 |
The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-7810 |
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. |
Apache Tomcat vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver |
|
|
CVE-2014-7817 |
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))". |
glibc vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_glibcver |
|
|
CVE-2014-7818 |
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. |
Puppet vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_puppetentver |
|
|
CVE-2014-7822 |
The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-7823 |
The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag. |
libvirt vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libvirtver |
|
|
CVE-2014-7825 |
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-7826 |
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-7829 |
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. |
Puppet vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_puppetentver |
|
|
CVE-2014-7830 |
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7831 |
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7832 |
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7833 |
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7834 |
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7835 |
webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7836 |
Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7837 |
mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7838 |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7841 |
The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-7843 |
The __clear_user function in arch/arm64/lib/clear_user.S in the Linux kernel before 3.17.4 on the ARM64 platform allows local users to cause a denial of service (system crash) by reading one byte beyond a /dev/zero page boundary. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-7844 |
BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted email address. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-7845 |
The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7846 |
tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7847 |
iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7848 |
lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. |
Moodle vulnerabilities
|
misc_moodlever |
|
|
CVE-2014-7899 |
Google Chrome before 38.0.2125.101 allows remote attackers to spoof the address bar by placing a blob: substring at the beginning of the URL, followed by the original URI scheme and a long username string. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7900 |
Use-after-free vulnerability in the CPDF_Parser::IsLinearizedFile function in fpdfapi/fpdf_parser/fpdf_parser_parser.cpp in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7901 |
Integer overflow in the opj_t2_read_packet_data function in fxcodec/fx_libopenjpeg/libopenjpeg20/t2.c in OpenJPEG in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long segment in a JPEG image. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7902 |
Use-after-free vulnerability in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7903 |
Buffer overflow in OpenJPEG before r2911 in PDFium, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted JPEG image. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7904 |
Buffer overflow in Skia, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7905 |
Google Chrome before 39.0.2171.65 on Android does not prevent navigation to a URL in cases where an intent for the URL lacks CATEGORY_BROWSABLE, which allows remote attackers to bypass intended access restrictions via a crafted web site. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7906 |
Use-after-free vulnerability in the Pepper plugins in Google Chrome before 39.0.2171.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Flash content that triggers an attempted PepperMediaDeviceManager access outside of the object's lifetime. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7907 |
Multiple use-after-free vulnerabilities in modules/screen_orientation/ScreenOrientationController.cpp in Blink, as used in Google Chrome before 39.0.2171.65, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger improper handling of a detached frame, related to the (1) lock and (2) unlock methods. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7908 |
Multiple integer overflows in the CheckMov function in media/base/container_names.cc in Google Chrome before 39.0.2171.65 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a large atom in (1) MPEG-4 or (2) QuickTime .mov data. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7909 |
effects/SkDashPathEffect.cpp in Skia, as used in Google Chrome before 39.0.2171.65, computes a hash key using uninitialized integer values, which might allow remote attackers to cause a denial of service by rendering crafted data. |
Google Chrome vulnerabilities
Opera vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome
web_client_opera9 |
|
|
CVE-2014-7911 |
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-7912 |
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-7913 |
The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-7914 |
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-7923 |
The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7924 |
Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7925 |
Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7926 |
The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7927 |
The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7928 |
hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7929 |
Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7930 |
Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7931 |
factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7932 |
Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7933 |
Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7934 |
Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7935 |
Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7936 |
Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7937 |
Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7938 |
The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7939 |
Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7940 |
The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7941 |
The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7942 |
The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7943 |
Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7944 |
The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7945 |
OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7946 |
The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7947 |
OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7948 |
The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-7970 |
The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-7975 |
The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8005 |
Race condition in the lighttpd module in Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (process reload) by establishing many TCP sessions, aka Bug ID CSCuq45239. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-8014 |
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCub63710. |
Cisco IOS XR vulnerabilities
Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_iosxr |
|
|
CVE-2014-8024 |
The API in the Guest Server in Cisco Jabber, when the HTML5 CORS feature is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP (1) GET or (2) POST request, aka Bug ID CSCus19789. |
Cisco Jabber Guest vulnerabilities
|
web_tool_ciscojabberguest |
|
|
CVE-2014-8025 |
The API in the Guest Server in Cisco Jabber, when HTML5 is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP (1) GET or (2) POST response, aka Bug ID CSCus19801. |
Cisco Jabber Guest vulnerabilities
|
web_tool_ciscojabberguest |
|
|
CVE-2014-8026 |
Cross-site scripting (XSS) vulnerability in the Guest Server in Cisco Jabber allows remote attackers to inject arbitrary web script or HTML via a (1) GET or (2) POST parameter, aka Bug ID CSCus08074. |
Cisco Jabber Guest vulnerabilities
|
web_tool_ciscojabberguest |
|
|
CVE-2014-8080 |
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. |
MacOSX vulnerabilities
Ruby vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
web_dev_ruby |
|
|
CVE-2014-8083 |
SQL injection vulnerability in the Search::setJsonAlert method in OSClass before 3.4.3 allows remote attackers to execute arbitrary SQL commands via the alert parameter in a search alert subscription action. |
OSClass vulnerabilities
|
web_prog_php_osclassver |
|
|
CVE-2014-8084 |
Directory traversal vulnerability in oc-includes/osclass/controller/ajax.php in OSClass before 3.4.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ajaxfile parameter in a custom action. |
OSClass vulnerabilities
|
web_prog_php_osclassver |
|
|
CVE-2014-8085 |
Unrestricted file upload vulnerability in the CWebContact::doModel method in oc-includes/osclass/controller/contact.php in OSClass before 3.4.3 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory. |
OSClass vulnerabilities
|
web_prog_php_osclassver |
|
|
CVE-2014-8086 |
Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8090 |
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8091 |
X.Org X Window System (aka X11 and X) X11R5 and X.Org Server (aka xserver and xorg-server) before 1.16.3, when using SUN-DES-1 (Secure RPC) authentication credentials, does not check the return value of a malloc call, which allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a crafted connection request. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8092 |
Multiple integer overflows in X.Org X Window System (aka X11 or X) X11R1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) ProcPutImage, (2) GetHosts, (3) RegionSizeof, or (4) REQUEST_FIXED_SIZE function, which triggers an out-of-bounds read or write. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8093 |
Multiple integer overflows in the GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) __glXDisp_ReadPixels, (2) __glXDispSwap_ReadPixels, (3) __glXDisp_GetTexImage, (4) __glXDispSwap_GetTexImage, (5) GetSeparableFilter, (6) GetConvolutionFilter, (7) GetHistogram, (8) GetMinmax, (9) GetColorTable, (10) __glXGetAnswerBuffer, (11) __GLX_GET_ANSWER_BUFFER, (12) __glXMap1dReqSize, (13) __glXMap1fReqSize, (14) Map2Size, (15) __glXMap2dReqSize, (16) __glXMap2fReqSize, (17) __glXImageSize, or (18) __glXSeparableFilter2DReqSize function, which triggers an out-of-bounds read or write. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8094 |
Integer overflow in the ProcDRI2GetBuffers function in the DRI2 extension in X.Org Server (aka xserver and xorg-server) 1.7.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, which triggers an out-of-bounds read or write. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8095 |
The XInput extension in X.Org X Window System (aka X11 or X) X11R4 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXChangeDeviceControl, (2) ProcXChangeDeviceControl, (3) ProcXChangeFeedbackControl, (4) ProcXSendExtensionEvent, (5) SProcXIAllowEvents, (6) SProcXIChangeCursor, (7) ProcXIChangeHierarchy, (8) SProcXIGetClientPointer, (9) SProcXIGrabDevice, (10) SProcXIUngrabDevice, (11) ProcXIUngrabDevice, (12) SProcXIPassiveGrabDevice, (13) ProcXIPassiveGrabDevice, (14) SProcXIPassiveUngrabDevice, (15) ProcXIPassiveUngrabDevice, (16) SProcXListDeviceProperties, (17) SProcXDeleteDeviceProperty, (18) SProcXIListProperties, (19) SProcXIDeleteProperty, (20) SProcXIGetProperty, (21) SProcXIQueryDevice, (22) SProcXIQueryPointer, (23) SProcXISelectEvents, (24) SProcXISetClientPointer, (25) SProcXISetFocus, (26) SProcXIGetFocus, or (27) SProcXIWarpPointer function. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8096 |
The SProcXCMiscGetXIDList function in the XC-MISC extension in X.Org X Window System (aka X11 or X) X11R6.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8097 |
The DBE extension in X.Org X Window System (aka X11 or X) X11R6.1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcDbeSwapBuffers or (2) SProcDbeSwapBuffers function. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8098 |
The GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) __glXDisp_Render, (2) __glXDisp_RenderLarge, (3) __glXDispSwap_VendorPrivate, (4) __glXDispSwap_VendorPrivateWithReply, (5) set_client_info, (6) __glXDispSwap_SetClientInfoARB, (7) DoSwapInterval, (8) DoGetProgramString, (9) DoGetString, (10) __glXDispSwap_RenderMode, (11) __glXDisp_GetCompressedTexImage, (12) __glXDispSwap_GetCompressedTexImage, (13) __glXDisp_FeedbackBuffer, (14) __glXDispSwap_FeedbackBuffer, (15) __glXDisp_SelectBuffer, (16) __glXDispSwap_SelectBuffer, (17) __glXDisp_Flush, (18) __glXDispSwap_Flush, (19) __glXDisp_Finish, (20) __glXDispSwap_Finish, (21) __glXDisp_ReadPixels, (22) __glXDispSwap_ReadPixels, (23) __glXDisp_GetTexImage, (24) __glXDispSwap_GetTexImage, (25) __glXDisp_GetPolygonStipple, (26) __glXDispSwap_GetPolygonStipple, (27) __glXDisp_GetSeparableFilter, (28) __glXDisp_GetSeparableFilterEXT, (29) __glXDisp_GetConvolutionFilter, (30) __glXDisp_GetConvolutionFilterEXT, (31) __glXDisp_GetHistogram, (32) __glXDisp_GetHistogramEXT, (33) __glXDisp_GetMinmax, (34) __glXDisp_GetMinmaxEXT, (35) __glXDisp_GetColorTable, (36) __glXDisp_GetColorTableSGI, (37) GetSeparableFilter, (38) GetConvolutionFilter, (39) GetHistogram, (40) GetMinmax, or (41) GetColorTable function. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8099 |
The XVideo extension in XFree86 4.0.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXvQueryExtension, (2) SProcXvQueryAdaptors, (3) SProcXvQueryEncodings, (4) SProcXvGrabPort, (5) SProcXvUngrabPort, (6) SProcXvPutVideo, (7) SProcXvPutStill, (8) SProcXvGetVideo, (9) SProcXvGetStill, (10) SProcXvPutImage, (11) SProcXvShmPutImage, (12) SProcXvSelectVideoNotify, (13) SProcXvSelectPortNotify, (14) SProcXvStopVideo, (15) SProcXvSetPortAttribute, (16) SProcXvGetPortAttribute, (17) SProcXvQueryBestSize, (18) SProcXvQueryPortAttributes, (19) SProcXvQueryImageAttributes, or (20) SProcXvListImageFormats function. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8100 |
The Render extension in XFree86 4.0.1, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcRenderQueryVersion, (2) SProcRenderQueryVersion, (3) SProcRenderQueryPictFormats, (4) SProcRenderQueryPictIndexValues, (5) SProcRenderCreatePicture, (6) SProcRenderChangePicture, (7) SProcRenderSetPictureClipRectangles, (8) SProcRenderFreePicture, (9) SProcRenderComposite, (10) SProcRenderScale, (11) SProcRenderCreateGlyphSet, (12) SProcRenderReferenceGlyphSet, (13) SProcRenderFreeGlyphSet, (14) SProcRenderFreeGlyphs, or (15) SProcRenderCompositeGlyphs function. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8101 |
The RandR extension in XFree86 4.2.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcRRQueryVersion, (2) SProcRRGetScreenInfo, (3) SProcRRSelectInput, or (4) SProcRRConfigureOutputProperty function. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8102 |
The SProcXFixesSelectSelectionInput function in the XFixes extension in X.Org X Window System (aka X11 or X) X11R6.8.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length value. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8103 |
X.Org Server (aka xserver and xorg-server) 1.15.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) sproc_dri3_query_version, (2) sproc_dri3_open, (3) sproc_dri3_pixmap_from_buffer, (4) sproc_dri3_buffer_from_pixmap, (5) sproc_dri3_fence_from_fd, (6) sproc_dri3_fd_from_fence, (7) proc_present_query_capabilities, (8) sproc_present_query_version, (9) sproc_present_pixmap, (10) sproc_present_notify_msc, (11) sproc_present_select_input, or (12) sproc_present_query_capabilities function in the (a) DRI3 or (b) Present extension. |
X11 vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_x11 |
|
|
CVE-2014-8108 |
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist. |
Apache Subversion vulnerabilities
|
web_mod_apachesvnver |
|
|
CVE-2014-8109 |
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. |
Apple OS X Server vulnerabilities
MacOSX vulnerabilities
Apache vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_server_version
misc_macosx_version
web_server_apache_version |
|
|
CVE-2014-8111 |
Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. |
Apache module vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_mod_jkver |
|
|
CVE-2014-8121 |
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset. |
glibc vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_glibcver |
|
|
CVE-2014-8127 |
LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
libtiff vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver
misc_tiff |
|
|
CVE-2014-8128 |
LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
libtiff vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver
misc_tiff |
|
|
CVE-2014-8129 |
LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
libtiff vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver
misc_tiff |
|
|
CVE-2014-8130 |
The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
libtiff vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver
misc_tiff |
|
|
CVE-2014-8131 |
The qemu implementation of virConnectGetAllDomainStats in libvirt before 1.2.11 does not properly handle locks when a domain is skipped due to ACL restrictions, which allows a remote authenticated users to cause a denial of service (deadlock or segmentation fault and crash) via a request to access the users does not have privileges to access. |
libvirt vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libvirtver |
|
|
CVE-2014-8133 |
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8134 |
The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8136 |
The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors. |
libvirt vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libvirtver |
|
|
CVE-2014-8139 |
Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8140 |
Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8141 |
Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8142 |
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019. |
PHP vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_version
web_tool_hpsmh |
|
|
CVE-2014-8143 |
Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation. |
Samba vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
win_samba |
|
|
CVE-2014-8146 |
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text. |
iTunes vulnerabilities
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_itunes
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-8147 |
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8150 |
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8151 |
The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8155 |
GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid. |
GnuTLS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnutls |
|
|
CVE-2014-8159 |
The InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8160 |
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8161 |
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message. |
PostgreSQL vulnerabilities
Apple OS X Server vulnerabilities
MacOSX vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql
misc_macosx_server_version
misc_macosx_version |
|
|
CVE-2014-8176 |
The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data. |
OpenSSL vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_openssl |
|
|
CVE-2014-8178 |
Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands. |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-8179 |
Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation. |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-8275 |
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c. |
MySQL vulnerabilities
Cerberus FTP Server
MacOSX vulnerabilities
OpenSSL vulnerabilities
VMware vulnerabilities
March Networks Products Vulnerabilities
WinSCP vulnerabilities
Cisco FireSIGHT vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version
ftp_cerberusver
misc_macosx_version
misc_openssl
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver
net_marchnvdver
shell_ssh_winscp
web_prog_firesightver
web_tool_hpsmh |
|
|
CVE-2014-8326 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the libraries/DatabaseInterface.class.php code for SQL debug output and the js/server_status_monitor.js code for the server monitor page. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-8361 |
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023. |
Realtek SDK vulnerabilities
|
misc_realteksdk |
|
|
CVE-2014-8369 |
The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8370 |
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file. |
VMWare ESX vulnerabilities
VMware vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_esxbuild
misc_vmware_fusion
misc_vmwareplayerver
misc_vmwarewkstnver |
|
|
CVE-2014-8412 |
The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-8413 |
The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does not properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-8414 |
ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11.6-cert8 does not properly handle state changes, which allows remote attackers to cause a denial of service (channel hang and memory consumption) by causing transitions to be delayed, which triggers a state change from hung up to waiting for media. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-8415 |
Race condition in the chan_pjsip channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 allows remote attackers to cause a denial of service (assertion failure and crash) via a cancel request for a SIP session with a queued action to (1) answer a session or (2) send ringing. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-8416 |
Use-after-free vulnerability in the PJSIP channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1, when using the res_pjsip_refer module, allows remote attackers to cause a denial of service (crash) via an in-dialog INVITE with Replaces message, which triggers the channel to be hung up. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-8417 |
ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote authenticated users to (1) gain privileges via vectors related to an external protocol to the CONFBRIDGE dialplan function or (2) execute arbitrary system commands via a crafted ConfbridgeStartRecord AMI action. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-8418 |
The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-8437 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow remote attackers to discover session tokens via unspecified vectors. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-8438 |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0573 and CVE-2014-0588. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-8439 |
Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Windows and OS X and before 11.2.202.424 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allow attackers to execute arbitrary code or cause a denial of service (invalid pointer dereference) via unspecified vectors. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-8440 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0576, CVE-2014-0581, and CVE-2014-8441. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-8441 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0576, CVE-2014-0581, and CVE-2014-8440. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-8442 |
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to complete a transition from Low Integrity to Medium Integrity by leveraging incorrect permissions. |
Adobe AIR vulnerabilities
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_adobe_air
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-8443 |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-8445 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8446 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8447 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8448 |
An unspecified JavaScript API in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2014-8451. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8449 |
Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8450 |
Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC Classic before 2015.006.30060, and Acrobat and Acrobat Reader DC Continuous before 2015.008.20082 on Windows and OS X allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-4449, CVE-2015-4450, CVE-2015-5088, CVE-2015-5089, and CVE-2015-5092. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8451 |
An unspecified JavaScript API in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2014-8448. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8452 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8453 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8454 |
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8455 and CVE-2014-9165. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8455 |
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8454 and CVE-2014-9165. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8456 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8457 |
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8460 and CVE-2014-9159. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8458 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8459 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8461, and CVE-2014-9158. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8460 |
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8457 and CVE-2014-9159. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8461 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, and CVE-2014-9158. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-8480 |
The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 lacks intended decoder-table flags for certain RIP-relative instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8481 |
The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 does not properly handle invalid instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application that triggers (1) an improperly fetched instruction or (2) an instruction that occupies too many bytes. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8480. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8500 |
ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and named crash) via a large or infinite number of referrals. |
DNS vulnerabilities
Apple OS X Server vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
dns_bindver
misc_macosx_server_version |
|
|
CVE-2014-8507 |
Multiple SQL injection vulnerabilities in the queryLastApp method in packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in the WAPPushManager module in Android before 5.0.0 allow remote attackers to execute arbitrary SQL commands, and consequently launch an activity or service, via the (1) wapAppId or (2) contentType field of a PDU for a malformed WAPPush message, aka Bug 17969135. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-8517 |
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8541 |
libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension differences, and not bits-per-pixel differences, when determining whether an image size has changed, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MJPEG data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8542 |
libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID during enforcement of alignment, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted JV data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8543 |
libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all lines of HHV Intra blocks during validation of image height, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MM video data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8544 |
libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate bits-per-pixel fields, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted TIFF data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8545 |
libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the monochrome-black format without verifying that the bits-per-pixel value is 1, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted PNG data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8546 |
Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Cinepak video data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8547 |
libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute image heights, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted GIF data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8548 |
Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Quicktime Graphics (aka SMC) video data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8549 |
libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the number of channels to at most 2, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted On2 data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-8553 |
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-8554 |
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-8559 |
The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8564 |
The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs. |
GnuTLS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnutls |
|
|
CVE-2014-8594 |
The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP). |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-8595 |
arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-8596 |
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php. |
PHP Fusion vulnerabilities
|
web_prog_php_fusionver |
|
|
CVE-2014-8597 |
A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel. |
PHP Fusion vulnerabilities
|
web_prog_php_fusionver |
|
|
CVE-2014-8598 |
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-8609 |
The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-8610 |
AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit arbitrary new draft SMS messages or trigger additional per-message charges from a network operator for old messages, via a crafted application that broadcasts an intent with the com.android.mms.transaction.MESSAGE_SENT action, aka Bug 17671795. |
Google Android vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_androidver |
|
|
CVE-2014-8611 |
The __sflush function in fflush.c in stdio in libc in FreeBSD 10.1 and the kernel in Apple iOS before 9 mishandles failures of the write system call, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted application. |
MacOSX vulnerabilities
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_mobile_iosver |
|
|
CVE-2014-8630 |
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name. |
Bugzilla vulnerabilities
|
web_prog_cgi_bugzilla |
|
|
CVE-2014-8631 |
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a call to an unspecified method. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-8632 |
The structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object restrictions by leveraging property availability after XrayWrapper removal. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_firefox
web_client_seamonkey |
|
|
CVE-2014-8634 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-8635 |
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-8636 |
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors. |
Mozilla vulnerabilities
Pale Moon vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_palemoonver
web_client_seamonkey
web_client_waterfox |
|
|
CVE-2014-8637 |
Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initialize memory for BMP images, which allows remote attackers to obtain sensitive information from process memory via a crafted web page that triggers the rendering of malformed BMP data within a CANVAS element. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey
web_client_waterfox |
|
|
CVE-2014-8638 |
The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey
web_client_waterfox |
|
|
CVE-2014-8639 |
Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server. |
Mozilla Thunderbird vulnerabilities
Mozilla vulnerabilities
Pale Moon vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_client_thunderbird
web_client_cyberfoxver
web_client_firefox
web_client_palemoonver
web_client_seamonkey
web_client_waterfox |
|
|
CVE-2014-8640 |
The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey
web_client_waterfox |
|
|
CVE-2014-8641 |
Use-after-free vulnerability in the WebRTC implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, and SeaMonkey before 2.32 allows remote attackers to execute arbitrary code via crafted track data. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey
web_client_waterfox |
|
|
CVE-2014-8642 |
Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider the id-pkix-ocsp-nocheck extension in deciding whether to trust an OCSP responder, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during a session in which there was an incorrect decision to accept a compromised and revoked certificate. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_seamonkey
web_client_waterfox |
|
|
CVE-2014-8643 |
Mozilla Firefox before 35.0 on Windows allows remote attackers to bypass the Gecko Media Plugin (GMP) sandbox protection mechanism by leveraging access to the GMP process, as demonstrated by the OpenH264 plugin's process. |
Mozilla vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_cyberfoxver
web_client_firefox
web_client_waterfox |
|
|
CVE-2014-8680 |
The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and IPv6, or (2) IPv6 support with certain options. |
DNS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
dns_bindver |
|
|
CVE-2014-8730 |
The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself. |
SSL POODLE attack
|
misc_tls_poodletls |
|
|
CVE-2014-8761 |
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call. |
DokuWiki vulnerabilities
|
web_prog_php_dokuwiki |
|
|
CVE-2014-8762 |
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter. |
DokuWiki vulnerabilities
|
web_prog_php_dokuwiki |
|
|
CVE-2014-8763 |
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind. |
DokuWiki vulnerabilities
|
web_prog_php_dokuwiki |
|
|
CVE-2014-8764 |
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind. |
DokuWiki vulnerabilities
|
web_prog_php_dokuwiki |
|
|
CVE-2014-8767 |
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8769 |
tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8773 |
MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter. |
MODx Revolution vulnerabilities
|
web_prog_php_modxrevver |
|
|
CVE-2014-8774 |
Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter. |
MODx Revolution vulnerabilities
|
web_prog_php_modxrevver |
|
|
CVE-2014-8775 |
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
MODx Revolution vulnerabilities
|
web_prog_php_modxrevver |
|
|
CVE-2014-8816 |
CoreGraphics in Apple OS X before 10.10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted PDF document. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8817 |
coresymbolicationd in CoreSymbolication in Apple OS X before 10.10.2 does not verify that expected data types are present in XPC messages, which allows attackers to execute arbitrary code in a privileged context via a crafted app, as demonstrated by lack of verification of xpc_dictionary_get_value API return values during handling of a (1) match_mmap_archives, (2) delete_mmap_archives, (3) write_mmap_archive, or (4) read_mmap_archive command. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8819 |
The Intel Graphics Driver in Apple OS X before 10.10.2 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2014-8820 and CVE-2014-8821. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8820 |
The Intel Graphics Driver in Apple OS X before 10.10.2 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2014-8819 and CVE-2014-8821. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8821 |
The Intel Graphics Driver in Apple OS X before 10.10.2 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2014-8819 and CVE-2014-8820. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8822 |
IOHIDFamily in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a kernel context or cause a denial of service (write to kernel memory) via a crafted app that calls an unspecified user-client method. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8823 |
The IOUSBControllerUserClient::ReadRegister function in the IOUSB controller in IOUSBFamily in Apple OS X before 10.10.2 allows local users to read data from arbitrary kernel-memory locations by leveraging root access and providing a crafted first argument. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8824 |
The kernel in Apple OS X before 10.10.2 does not properly validate IODataQueue object metadata fields, which allows attackers to execute arbitrary code in a privileged context via a crafted app. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8825 |
The kernel in Apple OS X before 10.10.2 does not properly perform identitysvc validation of certain directory-service functionality, which allows local users to gain privileges or spoof directory-service responses via unspecified vectors. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8826 |
LaunchServices in Apple OS X before 10.10.2 does not properly handle file-type metadata, which allows attackers to bypass the Gatekeeper protection mechanism via a crafted JAR archive. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8827 |
LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the screen. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8828 |
Sandbox in Apple OS X before 10.10 allows attackers to write to the sandbox-profile cache via a sandboxed app that includes a com.apple.sandbox segment in a path. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8829 |
SceneKit in Apple OS X before 10.10.2 allows attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted app. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8830 |
Heap-based buffer overflow in SceneKit in Apple OS X before 10.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted accessor element in a Collada file. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8831 |
security_taskgate in Apple OS X before 10.10.2 allows attackers to read group-ACL-restricted keychain items of arbitrary apps via a crafted app with a signature from a (1) self-signed certificate or (2) Developer ID certificate. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8832 |
The indexing functionality in Spotlight in Apple OS X before 10.10.2 writes memory contents to an external hard drive, which allows local users to obtain sensitive information by reading from this drive. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8833 |
SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via a Spotlight query. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8834 |
UserAccountUpdater in Apple OS X 10.10 before 10.10.2 stores a PDF document's password in a printing preference file, which allows local users to obtain sensitive information by reading a file. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8835 |
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8836 |
The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (arbitrary-size bzero of kernel memory) via a crafted app. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8837 |
Multiple unspecified vulnerabilities in the Bluetooth driver in Apple OS X before 10.10.2 allow attackers to execute arbitrary code in a privileged context via a crafted app. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8838 |
The Security component in Apple OS X before 10.10.2 does not properly process cached information about app certificates, which allows attackers to bypass the Gatekeeper protection mechanism by leveraging access to a revoked Developer ID certificate for signing a crafted app. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8839 |
Spotlight in Apple OS X before 10.10.2 does not enforce the Mail "Load remote content in messages" configuration, which allows remote attackers to discover recipient IP addresses by including an inline image in an HTML e-mail message and logging HTTP requests for this image's URL. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-8840 |
The iTunes Store component in Apple iOS before 8.1.3 allows remote attackers to bypass a Safari sandbox protection mechanism by leveraging redirection of an SSL URL to the iTunes Store. |
Apple iOS vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_mobile_iosver |
|
|
CVE-2014-8866 |
The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-8867 |
The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-8890 |
IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraints and ServletSecurity annotations. |
WebSphere vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_dev_webspherever |
|
|
CVE-2014-8891 |
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors related to the security manager. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre |
|
|
CVE-2014-8892 |
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via unspecified vectors related to the security manager. |
Java Plugin vulnerability
Note: Authentication is required to detect this vulnerability |
web_client_ibmjre |
|
|
CVE-2014-8910 |
IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement. |
DB2 vulnerabilities
|
database_db2ver |
|
|
CVE-2014-8917 |
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Lotus Notes email client vulnerabilities
Lotus Domino SMTP vulnerability
Note: Authentication is required to detect this vulnerability |
mail_client_notesfilever
mail_smtp_domino |
|
|
CVE-2014-8958 |
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-8959 |
Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-8960 |
Cross-site scripting (XSS) vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-8961 |
Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-8964 |
Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats. |
PCRE vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_pcrever |
|
|
CVE-2014-8966 |
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v6
win_patch_ie_v7
win_patch_ie_v8 |
|
|
CVE-2014-8967 |
Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted HTML document in conjunction with a Cascading Style Sheets (CSS) token sequence specifying the run-in value for the display property, leading to improper CElement reference counting. |
Internet Explorer vulnerabilities
Note: Authentication is required to detect this vulnerability |
win_patch_ie_v8
win_patch_ie_v9 |
|
|
CVE-2014-8986 |
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-8987 |
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different vulnerability than CVE-2014-8986. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-8988 |
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-8989 |
The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-8992 |
Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/FileAPI.flash.image.swf in MODX Revolution 2.3.2-pl allows remote attackers to inject arbitrary web script or HTML via the callback parameter. |
MODx Revolution vulnerabilities
|
web_prog_php_modxrevver |
|
|
CVE-2014-9015 |
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-9016 |
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. |
Drupal vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal |
|
|
CVE-2014-9030 |
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-9031 |
Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9032 |
Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9033 |
Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9034 |
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9035 |
Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9036 |
Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9037 |
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9038 |
wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9039 |
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. |
WordPress vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_wordpress |
|
|
CVE-2014-9050 |
Heap-based buffer overflow in the cli_scanpe function in libclamav/pe.c in ClamAV before 0.98.5 allows remote attackers to cause a denial of service (crash) via a crafted y0da Crypter PE file. |
ClamAV vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_av_clam
misc_av_clamwinupx |
|
|
CVE-2014-9065 |
common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-9066 |
Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability than CVE-2014-9065. |
Xen vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_xenver |
|
|
CVE-2014-9087 |
Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow. |
GnuPG vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gnupgsmime |
|
|
CVE-2014-9089 |
Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9093 |
LibreOffice before 4.3.5 allows remote attackers to cause a denial of service (invalid write operation and crash) and possibly execute arbitrary code via a crafted RTF file. |
OpenOffice vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_libreoffice |
|
|
CVE-2014-9117 |
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9140 |
Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet. |
MacOSX vulnerabilities
tcpdump vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_tcpdump |
|
|
CVE-2014-9150 |
Race condition in the MoveFileEx call hook feature in Adobe Reader and Acrobat 11.x before 11.0.09 on Windows allows attackers to bypass a sandbox protection mechanism, and consequently write to files in arbitrary locations, via an NTFS junction attack, a similar issue to CVE-2014-0568. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-9158 |
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, and CVE-2014-8461. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-9159 |
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8457 and CVE-2014-8460. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-9160 |
Multiple heap-based buffer overflows in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to execute arbitrary code via unknown vectors. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-9161 |
CoolType.dll in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows, and 10.x through 10.1.13 and 11.x through 11.0.10 on OS X, allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted PDF document. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-9162 |
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-9163 |
Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-9164 |
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0587. |
Flash vulnerabilities
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_flash
misc_flashie
web_client_googlechrome |
|
|
CVE-2014-9165 |
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8454 and CVE-2014-8455. |
Adobe Acrobat vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_acrobat
misc_acroread |
|
|
CVE-2014-9218 |
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-9219 |
Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter. |
phpMyAdmin vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_myadminver |
|
|
CVE-2014-9222 |
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability. |
Allegro RomPager vulnerabilities
|
net_rompagerver |
|
|
CVE-2014-9223 |
Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization. |
Allegro RomPager vulnerabilities
|
net_rompagerver |
|
|
CVE-2014-9227 |
Multiple untrusted search path vulnerabilities in the Manager component in Symantec Endpoint Protection (SEP) before 12.1.6 allow local users to gain privileges via a Trojan horse DLL in an unspecified directory. |
Symantec vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_av_symantec_sepmver |
|
|
CVE-2014-9228 |
sysplant.sys in the Manager component in Symantec Endpoint Protection (SEP) before 12.1.6 allows local users to cause a denial of service (blocked system shutdown) by triggering an unspecified deadlock condition. |
Symantec vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_av_symantec_sepmver |
|
|
CVE-2014-9229 |
Multiple SQL injection vulnerabilities in interface PHP scripts in the Manager component in Symantec Endpoint Protection (SEP) before 12.1.6 allow remote authenticated users to execute arbitrary SQL commands by leveraging the Limited Administrator role. |
Symantec vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_av_symantec_sepmver |
|
|
CVE-2014-9239 |
SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter. |
Invision Power Board
|
web_prog_php_ipbversion |
|
|
CVE-2014-9254 |
bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to index.php. |
miniBB vulnerabilities
|
web_prog_php_minibbver |
|
|
CVE-2014-9258 |
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter. |
GLPI vulnerabilities
|
web_tool_glpiver |
|
|
CVE-2014-9269 |
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9270 |
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9271 |
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9272 |
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9280 |
The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9281 |
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9293 |
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. |
NTP vulnerabilities
March Networks Products Vulnerabilities
Cisco FireSIGHT vulnerabilities
|
misc_ntpdver
net_marchnvdver
web_prog_firesightver |
|
|
CVE-2014-9294 |
util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. |
NTP vulnerabilities
March Networks Products Vulnerabilities
Cisco FireSIGHT vulnerabilities
|
misc_ntpdver
net_marchnvdver
web_prog_firesightver |
|
|
CVE-2014-9295 |
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. |
NTP vulnerabilities
March Networks Products Vulnerabilities
Cisco FireSIGHT vulnerabilities
|
misc_ntpdver
net_marchnvdver
web_prog_firesightver |
|
|
CVE-2014-9296 |
The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets. |
NTP vulnerabilities
March Networks Products Vulnerabilities
Cisco FireSIGHT vulnerabilities
|
misc_ntpdver
net_marchnvdver
web_prog_firesightver |
|
|
CVE-2014-9316 |
The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via vectors related to LJIF tags in an MJPEG file. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-9317 |
The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via an IDAT before an IHDR in a PNG file. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-9318 |
The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via a crafted .cine file that triggers the avpicture_get_size function to return a negative frame size. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-9319 |
The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted .bit file. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-9322 |
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9323 |
The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status. |
Firebird vulnerabilities
Note: Authentication is required to detect this vulnerability |
database_firebird_ver |
|
|
CVE-2014-9325 |
Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences. |
TWiki vulnerabilities
|
web_prog_cgi_twikiver |
|
|
CVE-2014-9328 |
ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition." |
ClamAV vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_av_clam
misc_av_clamwinupx |
|
|
CVE-2014-9330 |
Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read. |
libtiff vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_tiff |
|
|
CVE-2014-9355 |
Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint. |
Puppet vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_tool_puppetentver |
|
|
CVE-2014-9356 |
Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile. |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-9357 |
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction. |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-9358 |
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications." |
docker vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_dockerver |
|
|
CVE-2014-9365 |
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
MacOSX vulnerabilities
Python vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_python |
|
|
CVE-2014-9367 |
Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch. |
TWiki vulnerabilities
|
web_prog_cgi_twikiver |
|
|
CVE-2014-9374 |
Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, and 13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9 allows remote attackers to cause a denial of service (crash) by sending a zero length frame after a non-zero length frame. |
Asterisk vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
net_asteriskver |
|
|
CVE-2014-9388 |
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9402 |
The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. |
glibc vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_glibcver |
|
|
CVE-2014-9419 |
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9420 |
The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9421 |
The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-9422 |
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-9423 |
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field. |
Kerberos detected
Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
|
|
CVE-2014-9425 |
Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-9426 |
The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable |
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_version |
|
|
CVE-2014-9427 |
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. |
MacOSX vulnerabilities
PHP vulnerabilities
HP SMH vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version
web_tool_hpsmh |
|
|
CVE-2014-9428 |
The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9439 |
Cross-site scripting (XSS) vulnerability in Easy File Sharing Web Server 6.8 allows remote attackers to inject arbitrary web script or HTML via the username field during registration, which is not properly handled by forum.ghp. |
Easy File Sharing Web Server
|
web_server_efswsver |
|
|
CVE-2014-9458 |
Heap-based buffer overflow in the GDB debugger module in Hex-Rays IDA Pro before 6.6 cumulative fix 2014-12-24 allows remote GDB servers to have unspecified impact via unknown vectors. |
IDA Pro vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_idaprover |
|
|
CVE-2014-9475 |
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9476 |
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/." |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9477 |
Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9478 |
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9479 |
Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9480 |
Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9481 |
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9487 |
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9495 |
Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-9508 |
The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors. |
TYPO3 vulnerabilities
|
web_prog_php_typo3ver |
|
|
CVE-2014-9509 |
The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page. |
TYPO3 vulnerabilities
|
web_prog_php_typo3ver |
|
|
CVE-2014-9512 |
rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path. |
MacOSX vulnerabilities
rsyncd vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
misc_rsyncdver |
|
|
CVE-2014-9529 |
Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9571 |
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. |
Mantis vulnerabilities
|
web_prog_php_mantisxss2 |
|
|
CVE-2014-9572 |
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9573 |
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9584 |
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9585 |
The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9587 |
Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. |
RoundCube webmail vulnerabilities
Note: Authentication is required to detect this vulnerability |
mail_web_roundcubever |
|
|
CVE-2014-9602 |
libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and words array dimensions that do not satisfy a required mathematical relationship, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted X-Face image data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-9603 |
The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does not validate the relationship between a certain length value and the frame width, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Sierra VMD video data. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-9604 |
libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions. |
FFmpeg vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_ffmpegver |
|
|
CVE-2014-9624 |
CAPTCHA bypass vulnerability in MantisBT before 1.2.19. |
Mantis vulnerabilities
|
web_prog_php_mantis |
|
|
CVE-2014-9626 |
Integer underflow in the MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a box size less than 7. |
VLC vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_vlc |
|
|
CVE-2014-9627 |
The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large box size. |
VLC vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_vlc |
|
|
CVE-2014-9628 |
The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to trigger an unintended zero-size malloc and conduct buffer overflow attacks, and consequently execute arbitrary code, via a box size of 7. |
VLC vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_vlc |
|
|
CVE-2014-9629 |
Integer overflow in the Encode function in modules/codec/schroedinger.c in VideoLAN VLC media player before 2.1.6 and 2.2.x before 2.2.1 allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted length value. |
VLC vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_vlc |
|
|
CVE-2014-9644 |
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9652 |
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file. |
MacOSX vulnerabilities
HP SMH vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
web_tool_hpsmh |
|
|
CVE-2014-9653 |
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. |
HP SMH vulnerabilities
|
web_tool_hpsmh |
|
|
CVE-2014-9655 |
The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif. |
libtiff vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_tiff |
|
|
CVE-2014-9656 |
The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9657 |
The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9658 |
The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9660 |
The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9661 |
type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9662 |
cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9663 |
The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9664 |
FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9665 |
The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9666 |
The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9667 |
sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9668 |
The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9669 |
Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9670 |
Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9671 |
Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9672 |
Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9673 |
Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9674 |
The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9675 |
bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9679 |
Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow. |
CUPS vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
printer_cupsversion |
|
|
CVE-2014-9680 |
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-9683 |
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9689 |
content/renderer/device_sensors/device_orientation_event_pump.cc in Google Chrome before 41.0.2272.76 does not properly restrict access to high-rate gyroscope data, which makes it easier for remote attackers to obtain speech signals from a device's physical environment via a crafted web site that listens for ondeviceorientation events, a different vulnerability than CVE-2015-1231. |
Google Chrome vulnerabilities
Note: Authentication is required to detect this vulnerability |
web_client_googlechrome |
|
|
CVE-2014-9705 |
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries. |
MacOSX vulnerabilities
HP SMH vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
web_tool_hpsmh |
|
|
CVE-2014-9709 |
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function. |
MacOSX vulnerabilities
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
misc_macosx_version
web_prog_php_version |
|
|
CVE-2014-9714 |
Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveAddVar function in HHVM (aka the HipHop Virtual Machine) before 3.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddx_serialize_value function. |
MediaWiki vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_mediawiki |
|
|
CVE-2014-9717 |
fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9745 |
The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream, as demonstrated by 8#garbage. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9746 |
The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9747 |
The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font. |
FreeType vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_freetype |
|
|
CVE-2014-9750 |
ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field. |
MacOSX vulnerabilities
NTP vulnerabilities
March Networks Products Vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_ntpdver
net_marchnvdver
web_prog_firesightver |
|
|
CVE-2014-9751 |
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address. |
MacOSX vulnerabilities
NTP vulnerabilities
March Networks Products Vulnerabilities
Cisco FireSIGHT vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version
misc_ntpdver
net_marchnvdver
web_prog_firesightver |
|
|
CVE-2014-9761 |
Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. |
glibc vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_glibcver |
|
|
CVE-2014-9767 |
Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive. |
PHP vulnerabilities
Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_version |
|
|
CVE-2014-9769 |
pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a crafted string, as demonstrated by packets encountered by Suricata during use of a regular expression in an Emerging Threats Open ruleset. |
PCRE vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_lib_pcrever |
|
|
CVE-2014-9862 |
Integer signedness error in bspatch.c in bspatch in bsdiff, as used in Apple OS X before 10.11.6 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted patch file. |
MacOSX vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_macosx_version |
|
|
CVE-2014-9900 |
The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not initialize a certain data structure, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28803952 and Qualcomm internal bug CR570754. |
Linux Kernel vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_linuxkernel |
|
|
CVE-2014-9938 |
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution. |
Git vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_gitver |
|
|
CVE-2014-9984 |
nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd. |
glibc vulnerabilities
Note: Authentication is required to detect this vulnerability |
misc_glibcver |
|
: A dangerous check is available for this vulnerability.