CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Fedoraproject : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
701 CVE-2014-3219 59 2018-02-09 2019-09-24
4.3
None Local Low ??? Partial Partial Partial
fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2) /tmp/.pac-cache.$USER, (3) /tmp/.yum-cache.$USER, or (4) /tmp/.rpm-cache.$USER.
702 CVE-2014-2678 476 DoS 2014-04-01 2020-08-28
4.7
None Local Medium Not required None None Complete
The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.
703 CVE-2014-2326 79 XSS 2014-03-27 2018-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
704 CVE-2014-1682 287 2014-05-08 2014-05-09
4.0
None Remote Low ??? None Partial None
The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request.
705 CVE-2014-1573 79 XSS 2014-10-13 2016-11-28
4.3
None Remote Medium Not required None Partial None
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name.
706 CVE-2014-1571 200 +Info 2014-10-13 2016-04-07
4.0
None Remote Low ??? Partial None None
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template.
707 CVE-2014-1530 79 XSS 2014-04-30 2020-08-07
4.3
None Remote Medium Not required None Partial None
The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation.
708 CVE-2014-1523 787 DoS Overflow 2014-04-30 2020-08-07
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in the read_u32 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG image.
709 CVE-2014-1517 287 +Info CSRF 2014-04-20 2016-04-04
4.0
None Remote Low ??? Partial None None
The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue.
710 CVE-2014-1491 326 Bypass 2014-02-06 2020-07-31
4.3
None Remote Medium Not required Partial None None
Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
711 CVE-2014-1400 284 Bypass 2018-04-10 2018-05-18
4.0
None Remote Low ??? None Partial None
The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspecified vectors.
712 CVE-2014-1399 284 Bypass 2018-04-10 2018-05-18
4.0
None Remote Low ??? None Partial None
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors.
713 CVE-2014-1398 284 Bypass 2018-04-10 2018-05-18
4.0
None Remote Low ??? None Partial None
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors.
714 CVE-2014-0221 399 DoS 2014-06-05 2019-04-22
4.3
None Remote Medium Not required None None Partial
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
715 CVE-2014-0190 476 DoS 2014-05-08 2021-06-16
4.3
None Remote Medium Not required None None Partial
The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
716 CVE-2013-6673 310 2013-12-11 2020-08-12
4.3
None Remote Medium Not required None Partial None
Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 do not recognize a user's removal of trust from an EV X.509 certificate, which makes it easier for man-in-the-middle attackers to spoof SSL servers in opportunistic circumstances via a valid certificate that is unacceptable to the user.
717 CVE-2013-6672 200 +Info 2013-12-11 2020-08-21
4.3
None Remote Medium Not required Partial None None
Mozilla Firefox before 26.0 and SeaMonkey before 2.23 on Linux allow user-assisted remote attackers to read clipboard data by leveraging certain middle-click paste operations.
718 CVE-2013-6476 264 +Priv 2014-03-14 2014-03-17
4.4
None Local Medium Not required Partial Partial Partial
The OPVPWrapper::loadDriver function in oprs/OPVPWrapper.cxx in the pdftoopvp filter in CUPS and cups-filters before 1.0.47 allows local users to gain privileges via a Trojan horse driver in the same directory as the PDF file.
719 CVE-2013-5614 1021 Bypass 2013-12-11 2020-08-21
4.3
None Remote Medium Not required None Partial None
Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restrictions via a crafted web site.
720 CVE-2013-5612 79 XSS 2013-12-11 2020-08-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header.
721 CVE-2013-5123 287 2019-11-05 2019-11-12
4.3
None Remote Medium Not required None Partial None
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
722 CVE-2013-4752 79 XSS 2020-01-02 2020-01-10
4.3
None Remote Medium Not required None Partial None
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
723 CVE-2013-4751 20 2019-11-01 2019-11-06
4.9
None Remote Medium ??? Partial Partial None
php-symfony2-Validator has loss of information during serialization
724 CVE-2013-4589 DoS 2013-11-23 2016-08-26
4.3
None Remote Medium Not required None None Partial
The ExportAlphaQuantumType function in export.c in GraphicsMagick before 1.3.18 might allow remote attackers to cause a denial of service (crash) via vectors related to exporting the alpha of an 8-bit RGBA image.
725 CVE-2013-4485 20 DoS 2013-11-23 2019-04-22
4.0
None Remote Low ??? None None Partial
389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request.
726 CVE-2013-4411 863 2019-12-03 2019-12-11
4.0
None Remote Low ??? Partial None None
Review Board: URL processing gives unauthorized users access to review lists
727 CVE-2013-4251 269 2019-11-04 2019-11-08
4.6
None Local Low Not required Partial Partial Partial
The scipy.weave component in SciPy before 0.12.1 creates insecure temporary directories.
728 CVE-2013-4168 79 XSS 2019-11-01 2020-08-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the start and end time fields.
729 CVE-2013-4158 79 XSS 2019-12-11 2019-12-17
4.3
None Remote Medium Not required None Partial None
smokeping before 2.6.9 has XSS (incomplete fix for CVE-2012-0790)
730 CVE-2013-2219 264 +Info 2013-07-31 2017-11-18
4.0
None Remote Low ??? Partial None None
The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute.
731 CVE-2013-2191 20 2014-02-08 2018-10-30
4.3
None Remote Medium Not required None Partial None
python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.
732 CVE-2013-1931 79 XSS 2019-10-31 2019-11-07
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14 allows remote attackers to inject arbitrary web script or HTML via a version, related to deleting a version.
733 CVE-2013-1930 20 2019-10-31 2019-11-07
4.0
None Remote Low ??? None Partial None
MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.
734 CVE-2013-1820 20 2019-11-08 2019-11-14
4.7
None Local Medium Not required None None Complete
tuned before 2.x allows local users to kill running processes due to insecure permissions with tuned's ktune service.
735 CVE-2013-1812 399 DoS 2013-12-12 2013-12-13
4.3
None Remote Medium Not required None None Partial
The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.
736 CVE-2013-1416 476 DoS 2013-04-19 2021-02-02
4.0
None Remote Low ??? None None Partial
The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.
737 CVE-2013-0294 330 +Info 2020-01-28 2020-01-31
4.3
None Remote Medium Not required Partial None None
packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack.
738 CVE-2013-0287 264 Bypass 2013-03-21 2013-05-15
4.9
None Remote Medium ??? Partial Partial None
The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions.
739 CVE-2013-0237 79 XSS 2013-07-08 2013-07-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter.
740 CVE-2012-6136 276 2019-11-20 2019-11-21
4.9
None Local Low Not required None None Complete
tuned 2.10.0 creates its PID file with insecure permissions which allows local users to kill arbitrary processes.
741 CVE-2012-5644 200 +Info 2019-11-25 2019-12-04
4.9
None Local Low Not required Complete None None
libuser has information disclosure when moving user's home directory
742 CVE-2012-4480 269 2019-12-02 2019-12-13
4.6
None Local Low Not required Partial Partial Partial
mom creates world-writable pid files in /var/run
743 CVE-2012-4451 79 XSS 2020-01-03 2020-01-14
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework 2.0.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) Debug, (2) Feed\PubSubHubbub, (3) Log\Formatter\Xml, (4) Tag\Cloud\Decorator, (5) Uri, (6) View\Helper\HeadStyle, (7) View\Helper\Navigation\Sitemap, or (8) View\Helper\Placeholder\Container\AbstractStandalone, related to Escaper.
744 CVE-2012-3354 200 +Info 2012-11-20 2013-12-13
4.3
None Remote Medium Not required Partial None None
doku.php in DokuWiki, as used in Fedora 16, 17, and 18, when certain PHP error levels are set, allows remote attackers to obtain sensitive information via the prefix parameter, which reveals the installation path in an error message.
745 CVE-2012-2251 20 Bypass 2013-01-11 2017-08-29
4.4
None Local Medium Not required Partial Partial Partial
rssh 2.3.2, as used by Debian, Fedora, and others, when the rsync protocol is enabled, allows local users to bypass intended restricted shell access via a (1) "-e" or (2) "--" command line option.
746 CVE-2012-1615 269 2019-12-06 2019-12-16
4.6
None Local Low Not required Partial Partial Partial
A Privilege Escalation vulnerability exits in Fedoraproject Sectool due to an incorrect DBus file.
747 CVE-2012-1161 200 +Info 2019-11-14 2019-11-15
4.0
None Remote Low ??? Partial None None
Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results
748 CVE-2012-1160 732 2019-11-14 2019-11-18
4.0
None Remote Low ??? None Partial None
Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php
749 CVE-2012-1159 200 +Info 2019-11-14 2019-11-15
4.0
None Remote Low ??? Partial None None
Moodle before 2.2.2: Overview report allows users to see hidden courses
750 CVE-2012-1158 200 +Info 2019-11-14 2019-11-18
4.0
None Remote Low ??? Partial None None
Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export
Total number of vulnerabilities : 702   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.