CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4851 CVE-2014-0979 DoS 2014-01-23 2018-10-30
2.1
None Local Low Not required None None Partial
The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+ Greeter before 1.7.1 does not properly handle the return value from the lightdm_greeter_get_authentication_user function, which allows local users to cause a denial of service (NULL pointer dereference) via an empty username.
4852 CVE-2014-0905 264 2014-08-17 2017-08-29
2.9
None Local Network Medium Not required Partial None None
IBM InfoSphere BigInsights 2.0 through 2.1.2 does not set the secure flag for the LTPA cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
4853 CVE-2014-0876 119 DoS Overflow 2014-08-17 2017-08-29
2.1
None Local Low Not required None None Partial
Buffer overflow in the Java GUI Configuration Wizard and Preferences Editor in the backup-archive client in IBM Tivoli Storage Manager (TSM) 5.x and 6.x before 6.2.5.2, 6.3.x before 6.3.2, and 6.4.x before 6.4.2 on Windows and OS X allows local users to cause a denial of service (application crash or hang) via unspecified vectors.
4854 CVE-2014-0841 326 2018-04-27 2018-06-07
2.1
None Local Low Not required Partial None None
IBM Rational Focal Point 6.4.0, 6.4.1, 6.5.1, 6.5.2, and 6.6.0 use a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack. IBM X-Force ID: 90704.
4855 CVE-2014-0647 255 2014-01-28 2018-10-09
2.1
None Local Low Not required Partial None None
The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.
4856 CVE-2014-0624 +Priv Bypass 2014-03-06 2014-03-07
2.7
None Local Network Low ??? Partial None None
EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properly manage sessions, which allows remote authenticated users to gain privileges and bypass intended content-reading restrictions via unspecified vectors.
4857 CVE-2014-0595 119 Overflow 2014-05-08 2020-02-24
2.6
None Local High Not required Partial Partial None
/opt/novell/ncl/bin/nwrights in Novell Client for Linux in Novell Open Enterprise Server (OES) 11 Linux SP2 does not properly manage a certain array, which allows local users to obtain the S permission in opportunistic circumstances by leveraging the granting of the F permission by an administrator.
4858 CVE-2014-0591 119 DoS Overflow 2014-01-14 2018-10-30
2.6
None Remote High Not required None None Partial
The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature.
4859 CVE-2014-0430 2014-01-15 2017-08-29
2.8
None Remote Medium ??? None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
4860 CVE-2014-0420 2014-01-15 2019-12-17
2.8
None Remote Medium ??? None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication.
4861 CVE-2014-0406 2014-01-15 2017-08-29
2.4
None Local High ??? None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0404.
4862 CVE-2014-0404 2014-01-15 2017-08-29
2.4
None Local High ??? None Partial Partial
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0406.
4863 CVE-2014-0381 2014-01-15 2014-02-07
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology, a different vulnerability than CVE-2014-0445.
4864 CVE-2014-0370 2014-01-15 2014-02-07
2.8
None Remote Medium ??? None None Partial
Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Clinical Trip Report.
4865 CVE-2014-0243 59 2018-07-19 2018-09-17
2.1
None Local Low Not required Partial None None
Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job.
4866 CVE-2014-0241 522 2019-12-13 2019-12-18
2.1
None Local Low Not required Partial None None
rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable
4867 CVE-2014-0219 20 DoS 2017-11-15 2019-01-08
2.1
None Local Low Not required None None Partial
Apache Karaf before 4.0.10 enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.
4868 CVE-2014-0206 +Info 2014-06-25 2018-12-13
2.1
None Local Low Not required Partial None None
Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.
4869 CVE-2014-0202 255 +Info 2014-05-30 2014-06-26
2.1
None Local Low Not required Partial None None
The setup script in ovirt-engine-dwh, as used in the Red Hat Enterprise Virtualization Manager data warehouse (rhevm-dwh) package before 3.3.3, stores the history database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file.
4870 CVE-2014-0201 264 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports package (rhevm-reports) before 3.3.3, uses world-readable permissions on configuration files, which allows local users to obtain sensitive information by reading the files.
4871 CVE-2014-0200 264 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
The Red Hat Enterprise Virtualization Manager reports (rhevm-reports) package before 3.3.3-1 uses world-readable permissions on the datasource configuration file (js-jboss7-ds.xml), which allows local users to obtain sensitive information by reading the file.
4872 CVE-2014-0199 310 +Info 2014-05-29 2014-05-30
2.1
None Local Low Not required Partial None None
The setup script in ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports (rhevm-reports) package before 3.3.3, stores the reports database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file.
4873 CVE-2014-0189 310 2014-05-02 2016-08-26
2.1
None Local Low Not required Partial None None
virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file.
4874 CVE-2014-0181 264 Bypass 2014-04-27 2020-08-26
2.1
None Local Low Not required None Partial None
The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.
4875 CVE-2014-0164 310 +Info 2014-05-05 2014-06-30
2.1
None Local Low Not required Partial None None
openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file.
4876 CVE-2014-0142 369 DoS 2017-08-10 2017-11-04
2.1
None Local Low Not required None None Partial
QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.
4877 CVE-2014-0131 416 +Info 2014-03-24 2019-05-13
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.
4878 CVE-2014-0103 310 +Info 2014-07-29 2015-11-04
2.1
None Local Low Not required Partial None None
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.
4879 CVE-2014-0085 255 +Info 2014-04-17 2018-10-23
2.1
None Local Low Not required Partial None None
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
4880 CVE-2014-0084 20 DoS 2019-11-21 2019-11-25
2.1
None Local Low Not required None None Partial
Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly.
4881 CVE-2014-0083 916 2019-11-21 2019-12-19
2.1
None Local Low Not required Partial None None
The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords.
4882 CVE-2014-0059 200 +Info 2014-11-17 2016-10-01
2.1
None Local Low Not required Partial None None
JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file.
4883 CVE-2014-0056 287 2014-05-08 2014-06-05
2.1
None Remote High ??? Partial None None
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
4884 CVE-2014-0046 79 XSS 2014-02-27 2018-08-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.
4885 CVE-2013-7461 284 Bypass 2017-03-14 2017-03-16
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Change Control (MCC) 6.1.0 for Linux and earlier allows authenticated users to change files that are part of write protection rules via specific conditions.
4886 CVE-2013-7460 284 Bypass 2017-03-14 2017-03-17
2.1
None Local Low Not required None Partial None
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Application Control (MAC) 6.1.0 for Linux and earlier allows authenticated users to change binaries that are part of the Application Control whitelist and allows execution of binaries via specific conditions.
4887 CVE-2013-7458 200 +Info 2016-08-10 2018-08-08
2.1
None Local Low Not required Partial None None
linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file.
4888 CVE-2013-7421 269 2015-03-02 2020-05-19
2.1
None Local Low Not required None Partial None
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.
4889 CVE-2013-7393 59 +Priv 2014-07-28 2016-10-18
2.4
None Local High ??? None Partial Partial
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).
4890 CVE-2013-7273 DoS 2014-04-29 2014-04-30
2.1
None Local Low Not required None None Partial
GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name.
4891 CVE-2013-7203 200 +Info 2018-09-21 2018-11-19
2.1
None Local Low Not required Partial None None
gitolite before commit fa06a34 might allow local users to read arbitrary files in repositories via vectors related to the user umask when running gitolite setup.
4892 CVE-2013-7128 310 +Info 2013-12-17 2013-12-18
2.1
None Local Low Not required Partial None None
Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valve SteamOS Beta stores cleartext credentials in a .valve-bugreporter.cfg file upon a Remember Credentials action, which allows local users to obtain sensitive information by reading this file.
4893 CVE-2013-7127 310 +Info 2013-12-17 2017-08-29
2.1
None Local Low Not required Partial None None
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file.
4894 CVE-2013-7078 79 XSS 2014-01-19 2017-08-29
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. NOTE: this might be the same vulnerability as CVE-2013-7072.
4895 CVE-2013-7064 79 XSS 2014-04-29 2014-04-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the EU Cookie Compliance module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated administrators with the "Administer EU Cookie Compliance popup" permission to inject arbitrary web script or HTML via unspecified configuration values.
4896 CVE-2013-6986 310 Bypass +Info 2013-12-12 2013-12-20
2.1
None Local Low Not required Partial None None
The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in SQLite cache databases, which allows attackers to obtain sensitive information by reading data elements, as demonstrated by password elements.
4897 CVE-2013-6956 79 XSS 2013-12-13 2014-01-04
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Secure Access Service Web rewriting feature in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r17, 7.3 before 7.3r8, 7.4 before 7.4r6, and 8.0 before 8.0r1, when web rewrite is enabled, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4898 CVE-2013-6927 Bypass 2020-02-13 2020-02-20
2.1
None Local Low Not required None Partial None
Internet TRiLOGI Server (unknown versions) could allow a local user to bypass security and create a local user account.
4899 CVE-2013-6497 17 DoS 2014-12-01 2017-08-29
2.1
None Local Low Not required None None Partial
clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file.
4900 CVE-2013-6494 17 DoS 2014-12-02 2014-12-02
2.1
None Local Low Not required None None Partial
fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a static name for its download cache, which allows local users to cause a denial of service (prevention of system updates).
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.