CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4801 CVE-2014-3077 200 +Info 2014-09-15 2017-08-29
2.1
None Local Low Not required Partial None None
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.
4802 CVE-2014-3045 200 +Info 2014-07-19 2014-08-04
2.1
None Local Low Not required Partial None None
IBM Scale Out Network Attached Storage (SONAS) 1.3.x and 1.4.x before 1.4.3.3 places an administrative password in the shell history upon use of the -p option to chuser, which allows local users to obtain sensitive information by leveraging root access.
4803 CVE-2014-2884 200 Bypass +Info 2018-03-19 2018-04-20
2.1
None Local Low Not required Partial None None
The ProcessVolumeDeviceControlIrp function in Ntdriver.c in TrueCrypt 7.1a allows local users to bypass access restrictions and obtain sensitive information about arbitrary files via a (1) TC_IOCTL_OPEN_TEST or (2) TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG IOCTL call.
4804 CVE-2014-2690 264 2014-04-15 2014-04-16
2.1
None Local Low Not required Partial None None
Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows local users to obtain administrator credentials by reading the log.
4805 CVE-2014-2573 264 DoS Bypass 2014-03-25 2014-03-26
2.3
None Local Network Medium ??? None None Partial
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image.
4806 CVE-2014-2568 416 +Info 2014-03-24 2019-05-10
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced.
4807 CVE-2014-2495 2014-07-17 2018-10-09
2.3
None Local Network Medium ??? Partial None None
Unspecified vulnerability in the PeopleSoft Enterprise SCM Purchasing component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Purchasing.
4808 CVE-2014-2478 2014-10-15 2014-10-16
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote attackers to affect confidentiality via unknown vectors.
4809 CVE-2014-2466 2014-04-16 2014-04-16
2.1
None Remote High ??? Partial None None
Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.
4810 CVE-2014-2432 2014-04-16 2019-12-17
2.8
None Remote Medium ??? None None Partial
Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated.
4811 CVE-2014-2431 2014-04-16 2019-12-17
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options.
4812 CVE-2014-2420 2014-04-16 2020-09-08
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Deployment.
4813 CVE-2014-2381 +Info 2014-08-28 2014-08-28
2.1
None Local Low Not required Partial None None
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.
4814 CVE-2014-2343 20 DoS 2014-05-30 2014-06-04
2.1
None Local Low Not required None None Partial
Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows physically proximate attackers to cause a denial of service (excessive data processing) via a crafted DNP request over a serial line.
4815 CVE-2014-2333 79 XSS 2014-04-11 2017-08-29
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Lazyest Gallery plugin before 1.1.21 for WordPress allows remote attackers to inject arbitrary web script or HTML via an EXIF tag. NOTE: some of these details are obtained from third party information.
4816 CVE-2014-2226 255 +Info 2014-07-29 2019-06-10
2.6
None Remote High Not required Partial None None
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.
4817 CVE-2014-2079 264 Bypass 2018-07-16 2018-09-15
2.1
None Local Low Not required Partial None None
X File Explorer (aka xfe) might allow local users to bypass intended access restrictions and gain access to arbitrary files by leveraging failure to use directory masks when creating files on Samba and NFS shares.
4818 CVE-2014-2040 79 XSS 2014-03-03 2018-10-09
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer plugin 1.7.0 for WordPress allow remote authenticated users with permissions to add media or edit media to inject arbitrary web script or HTML via unspecified parameters, as demonstrated by the title of an uploaded file.
4819 CVE-2014-2038 200 +Info 2014-02-28 2020-08-26
2.1
None Local Low Not required Partial None None
The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file.
4820 CVE-2014-2000 200 +Info 2014-06-18 2014-06-19
2.6
None Remote High Not required Partial None None
The NTT 050 plus application before 4.2.1 for Android allows attackers to obtain sensitive information by leveraging the ability to read system log files.
4821 CVE-2014-1948 255 +Info 2014-02-14 2014-03-08
2.6
None Local High Not required Partial Partial None
OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.
4822 CVE-2014-1938 59 2019-11-21 2019-11-22
2.1
None Local Low Not required None None Partial
python-rply before 0.7.4 insecurely creates temporary files.
4823 CVE-2014-1933 264 2014-04-17 2017-07-01
2.1
None Local Low Not required None Partial None
The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.
4824 CVE-2014-1859 59 2018-01-08 2019-04-22
2.1
None Local Low Not required None Partial None
(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file.
4825 CVE-2014-1858 20 2018-01-08 2018-01-30
2.1
None Local Low Not required None Partial None
__init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file.
4826 CVE-2014-1835 255 2018-02-02 2018-02-14
2.1
None Local Low Not required Partial None None
The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to steal the login credentials by watching the process table.
4827 CVE-2014-1832 2015-02-19 2015-02-20
2.1
None Local Low Not required None Partial None
Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.
4828 CVE-2014-1831 2015-02-19 2015-02-20
2.1
None Local Low Not required None Partial None
Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file.
4829 CVE-2014-1826 79 XSS 2014-03-26 2014-03-26
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the iThoughtsHD app 4.19 for iOS on iPad devices, when the WiFi Transfer feature is used, allows remote attackers to inject arbitrary web script or HTML via a crafted map name.
4830 CVE-2014-1739 200 +Info 2014-06-23 2020-08-19
2.1
None Local Low Not required Partial None None
The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
4831 CVE-2014-1738 200 +Info 2014-05-11 2020-08-21
2.1
None Local Low Not required Partial None None
The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device.
4832 CVE-2014-1690 200 +Info 2014-02-28 2020-08-28
2.6
None Remote High Not required Partial None None
The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature.
4833 CVE-2014-1652 79 XSS 2014-06-18 2017-12-28
2.3
None Local Network Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the management console in Symantec Web Gateway (SWG) before 5.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified report parameters.
4834 CVE-2014-1647 119 DoS Overflow 2014-04-23 2014-04-24
2.6
None Remote High Not required None None Partial
Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop Professional 10.3.x before 10.3.2 MP1 do not properly perform block-data moves, which allows remote attackers to cause a denial of service (read access violation and application crash) via a malformed certificate.
4835 CVE-2014-1646 119 DoS Overflow 2014-04-23 2014-04-24
2.6
None Remote High Not required None None Partial
Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop Professional 10.3.x before 10.3.2 MP1 do not properly perform memory copies, which allows remote attackers to cause a denial of service (read access violation and application crash) via a malformed certificate.
4836 CVE-2014-1604 2014-01-28 2017-08-29
2.1
None Local Low Not required None Partial None
The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.
4837 CVE-2014-1595 199 +Info 2014-12-11 2016-10-04
2.1
None Local Low Not required Partial None None
Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information.
4838 CVE-2014-1504 264 XSS 2014-03-19 2020-08-10
2.6
None Remote High Not required None Partial None
The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart.
4839 CVE-2014-1445 399 +Info 2014-01-18 2017-08-29
2.1
None Local Low Not required Partial None None
The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call.
4840 CVE-2014-1425 264 2015-01-07 2015-01-08
2.1
None Local Low Not required None Partial None
cmanager 0.32 does not properly enforce nesting when modifying cgroup properties, which allows local users to set cgroup values for all cgroups via unspecified vectors.
4841 CVE-2014-1420 502 2020-09-11 2020-09-16
2.1
None Local Low Not required Partial None None
On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1.
4842 CVE-2014-1380 264 Bypass 2014-07-01 2015-12-22
2.6
None Local High Not required Partial Partial None
The Security - Keychain component in Apple OS X before 10.9.4 does not properly implement keystroke observers, which allows physically proximate attackers to bypass the screen-lock protection mechanism, and enter characters into an arbitrary window under the lock window, via keyboard input.
4843 CVE-2014-1378 264 Bypass 2014-07-01 2015-12-22
2.1
None Local Low Not required Partial None None
IOGraphicsFamily in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.
4844 CVE-2014-1375 264 Bypass 2014-07-01 2015-12-22
2.1
None Local Low Not required Partial None None
Intel Graphics Driver in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.
4845 CVE-2014-1360 20 Bypass 2014-07-01 2017-01-07
2.1
None Local Low Not required None Partial None
Lockdown in Apple iOS before 7.1.2 does not properly verify data from activation servers, which makes it easier for physically proximate attackers to bypass the Activation Lock protection mechanism via unspecified vectors.
4846 CVE-2014-1348 310 +Info 2014-07-01 2017-01-07
2.1
None Local Low Not required Partial None None
Mail in Apple iOS before 7.1.2 advertises the availability of data protection for attachments but stores cleartext attachments under mobile/Library/Mail/, which makes it easier for physically proximate attackers to obtain sensitive information by mounting the data partition.
4847 CVE-2014-1317 200 +Info 2014-07-01 2015-12-22
2.1
None Local Low Not required Partial None None
iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credentials in the iBooks log, which allows local users to obtain sensitive information by reading this file.
4848 CVE-2014-1279 264 +Info 2014-03-14 2019-03-08
2.1
None Local Low Not required Partial None None
Apple TV before 6.1 does not properly restrict logging, which allows local users to obtain sensitive information by reading log data.
4849 CVE-2014-1274 200 +Info 2014-03-14 2014-03-14
2.1
None Local Low Not required Partial None None
FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call.
4850 CVE-2014-1234 200 +Info 2014-01-10 2014-01-10
2.1
None Local Low Not required Partial None None
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.