CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2014-3914 22 1 Exec Code Dir. Trav. 2014-08-07 2014-08-07
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.
152 CVE-2014-3908 310 +Info 2014-08-30 2014-09-02
5.8
None Remote Medium Not required Partial Partial None
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
153 CVE-2014-3907 352 CSRF 2014-08-26 2014-08-27
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.11 for WordPress allows remote attackers to hijack the authentication of arbitrary users.
154 CVE-2014-3906 89 Exec Code Sql 2014-08-19 2014-08-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in OSK Advance-Flow 4.41 and earlier and Advance-Flow Forms 4.41 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
155 CVE-2014-3905 79 XSS 2014-08-17 2014-09-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in tenfourzero Shutter 0.1.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
156 CVE-2014-3904 89 Exec Code Sql 2014-08-17 2014-09-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in lib/admin.php in tenfourzero Shutter 0.1.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
157 CVE-2014-3903 79 XSS 2014-08-19 2017-07-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Cakifo theme 1.x before 1.6.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via crafted Exif data.
158 CVE-2014-3902 310 +Info 2014-08-15 2014-08-15
5.8
None Remote Medium Not required Partial Partial None
The CyberAgent Ameba application 3.x and 4.x before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
159 CVE-2014-3901 DoS 2014-08-12 2015-12-04
7.8
None Remote Low Not required None None Complete
Raritan Japan Dominion KX2-101 switches before 2 allow remote attackers to cause a denial of service (device hang) via a crafted packet.
160 CVE-2014-3900 79 XSS 2014-08-17 2014-09-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.
161 CVE-2014-3899 DoS 2014-08-12 2014-08-12
4.3
None Remote Medium Not required None None Partial
Gretech GOM Player 2.2.51.5149 and earlier allows remote attackers to cause a denial of service (launch outage) via a crafted image file.
162 CVE-2014-3898 79 XSS 2014-08-14 2015-12-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Fujitsu ServerView Operations Manager 5.00.09 through 6.30.05 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
163 CVE-2014-3855 22 Dir. Trav. 2014-08-07 2014-08-07
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in download.py in Pyplate 0.08 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter.
164 CVE-2014-3854 352 XSS CSRF 2014-08-07 2014-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin/addScript.py in Pyplate 0.08 allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the title parameter.
165 CVE-2014-3853 200 +Info 2014-08-07 2014-08-07
5.0
None Remote Low Not required Partial None None
Pyplate 0.08 does not set the secure flag for the id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
166 CVE-2014-3852 200 +Info 2014-08-07 2014-08-07
5.0
None Remote Low Not required Partial None None
Pyplate 0.08 does not include the HTTPOnly flag in a Set-Cookie header for the id cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
167 CVE-2014-3851 200 +Info 2014-08-07 2014-08-07
2.1
None Local Low Not required Partial None None
usr/lib/cgi-bin/create_passwd_file.py in Pyplate 0.08 uses world-readable permissions for passwd.db, which allows local users to obtain the administrator password by reading this file.
168 CVE-2014-3800 264 2014-08-07 2014-08-07
2.1
None Local Low Not required Partial None None
XBMC 13.0 uses world-readable permissions for .xbmc/userdata/sources.xml, which allows local users to obtain user names and passwords by reading this file.
169 CVE-2014-3774 79 XSS 2014-08-07 2014-08-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in items.php in TeamPass before 2.1.20 allow remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid_cat or (2) open_folder form element, or (3) id parameter, which is not properly handled in the open_id form element.
170 CVE-2014-3773 89 Exec Code Sql 2014-08-07 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3) datatable.logs.php or (4) a file in source/datatable/; or iDisplayLength parameter to (5) datatable.logs.php or (6) a file in source/datatable/; or allow remote authenticated users to execute arbitrary SQL commands via a sSortDir_ parameter to (7) datatable.logs.php or (8) a file in source/datatable/.
171 CVE-2014-3772 264 Bypass 2014-08-07 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php.
172 CVE-2014-3771 264 Bypass 2014-08-07 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php.
173 CVE-2014-3597 119 DoS Exec Code Overflow 2014-08-23 2017-01-07
6.8
None Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049.
174 CVE-2014-3596 2014-08-27 2020-01-15
5.8
None Remote Medium Not required Partial Partial None
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
175 CVE-2014-3594 79 XSS 2014-08-22 2021-03-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.
176 CVE-2014-3589 20 DoS 2014-08-25 2018-10-30
5.0
None Remote Low Not required None None Partial
PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.
177 CVE-2014-3587 189 DoS Overflow 2014-08-23 2018-01-05
4.3
None Remote Medium Not required None None Partial
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
178 CVE-2014-3577 2014-08-21 2021-10-07
5.8
None Remote Medium Not required Partial Partial None
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
179 CVE-2014-3575 264 2014-08-27 2017-08-29
4.3
None Remote Medium Not required Partial None None
The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects.
180 CVE-2014-3563 59 2014-08-22 2017-08-29
7.2
None Local Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.
181 CVE-2014-3562 200 +Info 2014-08-21 2019-04-22
5.0
None Remote Low Not required Partial None None
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.
182 CVE-2014-3560 94 Exec Code 2014-08-06 2019-04-22
7.9
None Local Network Medium Not required Complete Complete Complete
NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h.
183 CVE-2014-3559 264 +Info 2014-08-06 2017-08-29
3.5
None Remote Medium ??? Partial None None
The oVirt storage backend in Red Hat Enterprise Virtualization 3.4 does not wipe memory snapshots when deleting a VM, even when wipe-after-delete (WAD) is configured for the VM's disk, which allows remote authenticated users with certain credentials to read portions of the deleted VM's memory and obtain sensitive information via an uninitialized storage volume.
184 CVE-2014-3534 269 +Priv 2014-08-01 2020-08-14
7.2
None Local Low Not required Complete Complete Complete
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call.
185 CVE-2014-3528 255 2014-08-19 2018-10-30
4.0
None Remote High Not required Partial Partial None
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.
186 CVE-2014-3525 2014-08-22 2017-08-29
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.
187 CVE-2014-3524 Exec Code 2014-08-26 2018-10-09
9.3
None Remote Medium Not required Complete Complete Complete
Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet.
188 CVE-2014-3522 297 2014-08-19 2018-10-30
4.0
None Remote High Not required Partial Partial None
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
189 CVE-2014-3517 200 +Info 2014-08-07 2018-11-15
4.3
None Remote Medium Not required Partial None None
api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.
190 CVE-2014-3514 264 Bypass 2014-08-20 2019-08-08
7.5
None Remote Low Not required Partial Partial Partial
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
191 CVE-2014-3512 119 DoS Overflow 2014-08-13 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.
192 CVE-2014-3511 2014-08-13 2017-11-15
4.3
None Remote Medium Not required None Partial None
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
193 CVE-2014-3510 DoS 2014-08-13 2017-08-29
4.3
None Remote Medium Not required None None Partial
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.
194 CVE-2014-3509 362 DoS 2014-08-13 2017-11-15
6.8
None Remote Medium Not required Partial Partial Partial
Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
195 CVE-2014-3508 200 +Info 2014-08-13 2017-11-15
4.3
None Remote Medium Not required Partial None None
The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.
196 CVE-2014-3507 399 DoS 2014-08-13 2017-08-29
5.0
None Remote Low Not required None None Partial
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
197 CVE-2014-3506 399 DoS 2014-08-13 2017-08-29
5.0
None Remote Low Not required None None Partial
d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
198 CVE-2014-3505 DoS 2014-08-13 2017-01-07
5.0
None Remote Low Not required None None Partial
Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.
199 CVE-2014-3504 2014-08-19 2018-08-13
4.0
None Remote High Not required Partial Partial None
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
200 CVE-2014-3490 2014-08-19 2019-03-21
7.5
None Remote Low Not required Partial Partial Partial
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.
Total number of vulnerabilities : 402   Page : 1 2 3 4 (This Page)5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.