CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6751 CVE-2014-2667 362 Bypass 2014-11-16 2017-07-01
3.3
None Local Medium Not required Partial Partial None
Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
6752 CVE-2014-2571 79 XSS 2014-03-24 2020-12-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question.
6753 CVE-2014-2553 79 XSS 2014-04-02 2014-05-05
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.
6754 CVE-2014-2524 59 2014-08-20 2018-10-30
3.3
None Local Medium Not required None Partial Partial
The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.
6755 CVE-2014-2512 79 XSS 2014-07-01 2018-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum eRoom 7.4.3, 7.4.4 before P19, and 7.4.4 SP1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
6756 CVE-2014-2486 2014-07-17 2018-10-09
3.0
None Local Medium ??? None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2477.
6757 CVE-2014-2477 1 2014-07-17 2018-10-09
3.6
None Local Low Not required None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2486.
6758 CVE-2014-2467 2014-04-16 2014-04-16
3.5
None Remote Medium ??? None Partial None
Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2014-2445.
6759 CVE-2014-2464 2014-04-16 2014-04-16
3.5
None Remote Medium ??? Partial None None
Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.
6760 CVE-2014-2459 2014-04-16 2014-04-16
3.7
None Local High Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.3.2 and 6.3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Security.
6761 CVE-2014-2451 2014-04-16 2014-04-16
3.5
None Remote Medium ??? None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Privileges.
6762 CVE-2014-2445 2014-04-16 2014-04-16
3.5
None Remote Medium ??? None Partial None
Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2014-2467.
6763 CVE-2014-2438 2014-04-16 2019-12-17
3.5
None Remote Medium ??? None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication.
6764 CVE-2014-2430 2014-04-16 2019-12-17
3.5
None Remote Medium ??? None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
6765 CVE-2014-2398 2014-04-16 2020-09-08
3.5
None Remote Medium ??? None Partial None
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and JRockit R27.8.1 and R28.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Javadoc.
6766 CVE-2014-2370 79 XSS 2014-07-24 2015-10-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to inject arbitrary web script or HTML via crafted data.
6767 CVE-2014-2347 264 +Info 2014-05-06 2014-05-06
3.5
None Remote Medium ??? Partial None None
Amtelco miSecureMessages (aka MSM) 6.2 does not properly manage sessions, which allows remote authenticated users to obtain sensitive information via a modified message request.
6768 CVE-2014-2329 79 XSS 2015-08-31 2015-09-01
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allow remote authenticated users to inject arbitrary web script or HTML via the (1) agent string for a check_mk agent, a (2) crafted request to a monitored host, which is not properly handled by the logwatch module, or other unspecified vectors.
6769 CVE-2014-2291 79 XSS 2014-03-14 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Pulse Collaboration (Secure Meeting) user pages in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r18, 7.3 before 7.3r10, 7.4 before 7.4r8, and 8.0 before 8.0r1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
6770 CVE-2014-2289 20 DoS 2014-04-18 2014-04-21
3.5
None Remote Medium ??? None None Partial
res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 allows remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept headers, which triggers an invalid pointer dereference.
6771 CVE-2014-2287 20 DoS 2014-04-18 2014-04-21
3.5
None Remote Medium ??? None None Partial
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.
6772 CVE-2014-2277 284 +Info 2017-10-17 2020-02-04
3.6
None Local Low Not required Partial Partial None
The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.
6773 CVE-2014-2260 79 XSS 2014-04-30 2014-05-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality.
6774 CVE-2014-2091 79 XSS 2014-03-02 2015-08-13
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not cross privilege boundaries.
6775 CVE-2014-2090 79 XSS 2014-03-02 2014-03-03
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter.
6776 CVE-2014-2068 264 +Info 2014-10-17 2016-06-13
3.5
None Remote Medium ??? Partial None None
The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.
6777 CVE-2014-2067 79 XSS 2014-03-01 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."
6778 CVE-2014-2021 79 XSS 2014-10-25 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
6779 CVE-2014-1995 79 XSS 2014-07-20 2014-07-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Map search functionality in Cybozu Garoon 2.x and 3.x before 3.7 SP4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
6780 CVE-2014-1994 79 XSS 2014-07-20 2014-07-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Notices portlet in Cybozu Garoon 2.x and 3.x before 3.7 SP4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
6781 CVE-2014-1992 79 XSS 2014-07-20 2014-07-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Messages functionality in Cybozu Garoon 3.1.x, 3.5.x, and 3.7.x before 3.7 SP4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
6782 CVE-2014-1988 DoS 2014-05-02 2014-05-02
3.5
None Remote Medium ??? None None Partial
The Phone Messages feature in Cybozu Garoon 2.0.0 through 3.7 SP2 allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors.
6783 CVE-2014-1934 59 2014-05-08 2018-10-30
3.3
None Local Medium Not required None Partial Partial
tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file.
6784 CVE-2014-1902 79 XSS 2015-05-14 2015-05-15
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to inject arbitrary web script or HTML via the (1) SYSCONTACT parameter to form/identityApply, as triggered using en/identity.asp; (2) PASSWD parameter to form/accAdd, as triggered using en/account/accedit.asp; (3) NTPSERVER parameter to form/clockApply, as triggered using en/clock.asp; (4) SERVER parameter to form/smtpclientApply, as triggered using en/smtpclient.asp; (5) SERVER parameter to form/ftpApply, as triggered using en/ftp.asp; or (6) SERVER parameter to form/httpEventApply, as triggered using en/httpevent.asp.
6785 CVE-2014-1879 79 XSS 2014-02-20 2015-08-05
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action.
6786 CVE-2014-1875 59 2014-10-06 2017-08-29
3.6
None Local Low Not required None Partial Partial
The Capture::Tiny module before 0.24 for Perl allows local users to write to arbitrary files via a symlink attack on a temporary file.
6787 CVE-2014-1665 79 XSS 2018-03-20 2018-04-13
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
6788 CVE-2014-1640 59 2014-01-28 2017-08-29
3.3
None Local Medium Not required None Partial Partial
axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.
6789 CVE-2014-1639 59 2014-01-28 2017-08-29
3.3
None Local Medium Not required None Partial Partial
syncevo/installcheck-local.sh in syncevolution before 1.3.99.7 uses mktemp to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.
6790 CVE-2014-1638 59 2014-01-28 2017-08-29
3.3
None Local Medium Not required None Partial Partial
(1) debian/postrm and (2) debian/localepurge.config in localepurge before 0.7.3.2 use tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.
6791 CVE-2014-1624 59 2014-01-28 2017-08-29
3.3
None Local Medium Not required None Partial Partial
Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.
6792 CVE-2014-1458 79 XSS 2014-02-04 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the web administration interface in FortiGuard FortiWeb 5.0.3 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors.
6793 CVE-2014-1454 79 XSS 2020-01-08 2020-01-10
3.5
None Remote Medium ??? None Partial None
Pearson eSIS (Enterprise Student Information System) message board has stored XSS due to improper validation of user input
6794 CVE-2014-1447 362 DoS 2014-01-24 2015-01-03
3.3
None Local Network Low Not required None None Partial
Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent.
6795 CVE-2014-1353 264 Bypass 2014-07-01 2017-01-07
3.6
None Local Low Not required Partial Partial None
Lock Screen in Apple iOS before 7.1.2 does not properly manage the telephony state in Airplane Mode, which allows physically proximate attackers to bypass the lock protection mechanism, and access a certain foreground application, via unspecified vectors.
6796 CVE-2014-1351 264 Bypass 2014-07-01 2017-01-07
3.6
None Local Low Not required Partial Partial None
Siri in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended lock-screen passcode requirement, and read a contact list, via a Siri request that refers to a contact ambiguously.
6797 CVE-2014-1321 264 Bypass 2014-04-23 2014-04-24
3.3
None Local Medium Not required Partial Partial None
Power Management in Apple OS X 10.9.x through 10.9.2 allows physically proximate attackers to bypass an intended transition into the locked-screen state by touching (1) a key or (2) the trackpad during a lid-close action.
6798 CVE-2014-1264 264 Bypass 2014-02-27 2014-03-10
3.3
None Local Medium Not required Partial Partial None
Finder in Apple OS X before 10.9.2 does not ensure ACL integrity after the viewing of file ACL information, which allows local users to bypass intended access restrictions in opportunistic circumstances via standard filesystem operations on a file with a damaged ACL.
6799 CVE-2014-1257 264 Bypass 2014-02-27 2014-02-27
3.6
None Local Low Not required Partial Partial None
CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.
6800 CVE-2014-1208 DoS 2014-01-17 2017-08-29
3.3
None Local Network Low Not required None None Partial
VMware Workstation 9.x before 9.0.1, VMware Player 5.x before 5.0.1, VMware Fusion 5.x before 5.0.1, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1 allow guest OS users to cause a denial of service (VMX process disruption) by using an invalid port.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.