CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2014-0542 264 Bypass 2014-08-12 2017-01-07
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0540, CVE-2014-0543, CVE-2014-0544, and CVE-2014-0545.
352 CVE-2014-0541 264 Bypass 2014-08-12 2017-01-07
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allow attackers to bypass intended access restrictions via unspecified vectors.
353 CVE-2014-0540 264 Bypass 2014-08-12 2017-01-07
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, and CVE-2014-0545.
354 CVE-2014-0538 Exec Code 2014-08-12 2017-01-07
10.0
None Remote Low Not required Complete Complete Complete
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 allows attackers to execute arbitrary code via unspecified vectors.
355 CVE-2014-0483 264 +Info 2014-08-26 2018-10-30
3.5
None Remote Medium ??? Partial None None
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
356 CVE-2014-0482 287 2014-08-26 2018-10-30
6.0
None Remote Medium ??? Partial Partial Partial
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
357 CVE-2014-0481 399 DoS 2014-08-26 2018-10-30
4.3
None Remote Medium Not required None None Partial
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.
358 CVE-2014-0480 20 2014-08-26 2018-10-30
5.8
None Remote Medium Not required Partial Partial None
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
359 CVE-2014-0479 94 Exec Code 2014-08-06 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
reportbug before 6.4.4+deb7u1 and 6.5.x before 6.5.0+nmu1 allows remote attackers to execute arbitrary commands via vectors related to compare_versions and reportbug/checkversions.py.
360 CVE-2014-0328 Exec Code 2014-08-15 2014-08-15
9.3
None Remote Medium Not required Complete Complete Complete
The thraneLINK protocol implementation on Cobham devices does not verify firmware signatures, which allows attackers to execute arbitrary code by leveraging physical access or terminal access to send an SNMP request and a TFTP response.
361 CVE-2014-0327 Exec Code 2014-08-17 2014-08-28
9.3
None Remote Medium Not required Complete Complete Complete
The Terminal Upgrade Tool in the Pilot Below Deck Equipment (BDE) and OpenPort implementations on Iridium satellite terminals allows remote attackers to execute arbitrary code by uploading new firmware to TCP port 54321.
362 CVE-2014-0326 2014-08-17 2014-08-28
9.3
None Remote Medium Not required Complete Complete Complete
The Pilot Below Deck Equipment (BDE) and OpenPort implementations on Iridium satellite terminals allow remote attackers to read hardcoded credentials via the web interface.
363 CVE-2014-0318 264 +Priv 2014-08-12 2019-05-15
7.2
None Local Low Not required Complete Complete Complete
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly control access to thread-owned objects, which allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
364 CVE-2014-0316 399 DoS Bypass 2014-08-12 2019-05-13
7.5
None Remote Low Not required Partial Partial Partial
Memory leak in the Local RPC (LRPC) server implementation in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to cause a denial of service (memory consumption) and bypass the ASLR protection mechanism via a crafted client that sends messages with an invalid data view, aka "LRPC ASLR Bypass Vulnerability."
365 CVE-2014-0232 79 XSS 2014-08-22 2018-10-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message.
366 CVE-2014-0179 20 DoS 2014-08-03 2019-04-22
1.9
None Local Medium Not required None None Partial
libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods.
367 CVE-2013-7395 255 DoS 2014-08-12 2014-08-14
4.9
None Local Low Not required None None Complete
ZOLL Defibrillator / Monitor X Series has a default (1) supervisor password and (2) service password, which allows physically proximate attackers to modify device configuration and cause a denial of service (adverse human health effects).
368 CVE-2013-7394 94 Exec Code 2014-08-07 2014-08-07
9.0
None Remote Low ??? Complete Complete Complete
The "runshellscript echo.sh" script in Splunk before 5.0.5 allows remote authenticated users to execute arbitrary commands via a crafted string. NOTE: this issue was SPLIT from CVE-2013-6771 per ADT2 due to different vulnerability types.
369 CVE-2013-7180 2014-08-15 2014-08-15
7.8
None Remote Low Not required Complete None None
Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; EXPLORER BGAN; and AVIATOR 200, 300, 350, and 700D devices do not properly restrict password recovery, which allows attackers to obtain administrative privileges by leveraging physical access or terminal access to spoof a reset code.
370 CVE-2013-7144 310 +Info 2014-08-16 2014-08-18
4.3
None Remote Medium Not required Partial None None
LINE 3.2.1.83 and earlier on Windows and 3.2.1 and earlier on OS X does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
371 CVE-2013-6771 22 Exec Code Dir. Trav. 2014-08-07 2014-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the file parameter. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2013-7394 is for the issue in the "runshellscript echo.sh" script.
372 CVE-2013-6335 281 Bypass 2014-08-26 2020-10-29
3.3
None Local Medium Not required Partial Partial None
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and restore operations, which allows local users to bypass intended access restrictions via standard filesystem operations.
373 CVE-2013-6306 +Priv 2014-08-22 2017-08-29
4.6
None Local Low Not required Partial Partial Partial
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.
374 CVE-2013-6222 79 XSS 2014-08-23 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Mobility Web Client and Service Request Catalog (SRC) components in HP Service Manager (SM) 7.21 and 9.x before 9.34 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
375 CVE-2013-6124 59 2014-08-31 2014-09-02
3.3
None Local Medium Not required None Partial Partial
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary file via an attack on the sensor-settings file.
376 CVE-2013-5758 78 2 Exec Code 2014-08-03 2014-08-04
9.0
None Remote Low ??? Complete Complete Complete
cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files.
377 CVE-2013-5757 22 1 Dir. Trav. 2014-08-03 2014-08-04
4.0
None Remote Low ??? Partial None None
Absolute path traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a full pathname in the dumpConfigFile function in the command parameter to cgi-bin/cgiServer.exx.
378 CVE-2013-5756 22 1 Dir. Trav. 2014-08-03 2014-08-04
4.0
None Remote Low ??? Partial None None
Directory traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to cgi-bin/cgiServer.exx.
379 CVE-2013-5467 264 +Priv 2014-08-29 2017-08-29
7.2
None Local Low Not required Complete Complete Complete
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM) on UNIX allow local users to gain privileges via unspecified vectors.
380 CVE-2013-5433 255 +Info 2014-08-12 2017-08-29
4.0
None Remote Low ??? Partial None None
The Data Growth Solution for JD Edwards EnterpriseOne in IBM InfoSphere Optim 3.0 through 9.1 has hardcoded database credentials, which allows remote authenticated users to obtain sensitive information by reading an unspecified field in an XML document.
381 CVE-2013-4159 264 2014-08-06 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
ctdb before 2.3 in OpenSUSE 12.3 and 13.1 does not create temporary files securely, which has unspecified impact related to "several temp file vulnerabilities" in (1) tcp/tcp_connect.c, (2) server/eventscript.c, (3) tools/ctdb_diagnostics, (4) config/gdb_backtrace, and (5) include/ctdb_private.h.
382 CVE-2013-2599 2014-08-31 2015-11-10
5.0
None Remote Low Not required Partial None None
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption passwords via a logcat call.
383 CVE-2013-2598 20 2014-08-31 2014-09-02
6.6
None Local Low Not required None Complete Complete
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory locations within bootloader memory.
384 CVE-2013-2597 119 Overflow +Priv 2014-08-31 2014-09-02
7.2
None Local Low Not required Complete Complete Complete
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument.
385 CVE-2013-2595 264 +Priv 2014-08-31 2014-09-02
7.2
None Local Low Not required Complete Complete Complete
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which allows attackers to gain privileges via a crafted application.
386 CVE-2012-6654 89 Exec Code Sql 2014-08-14 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in ZPanel 10.0.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) resetkey or (2) inConfEmail parameter to index.php, a different vulnerability than CVE-2012-5685.
387 CVE-2012-6653 2014-08-06 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the All Video Gallery (all-video-gallery) plugin before 1.2.0 for WordPress has unspecified impact and attack vectors.
388 CVE-2012-5685 89 1 Exec Code Sql 2014-08-14 2014-08-14
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ZPanel 10.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the inEmailAddress parameter in an UpdateClient action in the manage_clients module to the default URI.
389 CVE-2012-5684 79 1 XSS 2014-08-14 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in ZPanel 10.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the inFullname parameter in an UpdateAccountSettings action in the my_account module to zpanel/.
390 CVE-2012-5683 352 1 Sql XSS CSRF 2014-08-14 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in ZPanel 10.0.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create new FTP users via a CreateFTP action in the ftp_management module to the default URI, (2) conduct cross-site scripting (XSS) attacks via the inFullname parameter in an UpdateAccountSettings action in the my_account module to zpanel/, or (3) conduct SQL injection attacks via the inEmailAddress parameter in an UpdateClient action in the manage_clients module to the default URI.
391 CVE-2012-4241 79 XSS 2014-08-12 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Microcart 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO or (2) query string to _admin/index.php or (3) first_name, (4) last_name, (5) cc, (6) exp, (7) cvv, (8) address1, (9) address2, (10) city, (11) state, (12) zip, (13) phone, or (14) email parameter to checkout.php, which is not properly handled in an error message.
392 CVE-2012-3820 89 Exec Code Sql 2014-08-14 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Software Campaign Enterprise before 11.0.551 allow remote attackers to execute arbitrary SQL commands via the (1) SerialNumber field to activate.asp or (2) UID field to User-Edit.asp.
393 CVE-2012-1503 79 2 XSS 2014-08-29 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.
394 CVE-2012-0939 89 Exec Code Sql 2014-08-14 2017-08-29
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id parameter to (1) reqSpecAnalyse.php, (2) reqSpecPrint.php, or (3) reqSpecView.php in requirements/. NOTE: some of these details are obtained from third party information.
395 CVE-2012-0938 89 Exec Code Sql 2014-08-14 2017-08-29
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter in the display_children function to (1) getrequirementnodes.php or (2) gettprojectnodes.php in lib/ajax/; the (3) cfield_id parameter in an edit action to lib/cfields/cfieldsEdit.php; the (4) id parameter in an edit action or (5) plan_id parameter in a create action to lib/plan/planMilestonesEdit.php; or the req_spec_id parameter to (6) reqImport.php or (7) in a create action to reqEdit.php in lib/requirements/. NOTE: some of these details are obtained from third party information.
396 CVE-2011-2944 89 2 Exec Code Sql 2014-08-12 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.php in MegaLab The Uploader before 2.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter.
397 CVE-2011-2593 189 Exec Code Overflow 2014-08-12 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the StartEpa method in the nsepacom ActiveX control (nsepa.exe) in Citrix Access Gateway Enterprise Edition Plug-in for Windows 9.x before 9.3-57.5 and 10.0 before 10.0-69.4 allows remote attackers to execute arbitrary code via a crafted Content-Length HTTP header, which triggers a heap-based buffer overflow.
398 CVE-2010-5303 79 XSS 2014-08-21 2014-08-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.
399 CVE-2010-5302 79 XSS 2014-08-21 2014-08-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.
400 CVE-2010-5110 20 DoS 2014-08-29 2014-09-02
4.3
None Remote Medium Not required None None Partial
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.
Total number of vulnerabilities : 402   Page : 1 2 3 4 5 6 7 8 (This Page)9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.