U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
There are 229,255 matching records.
Displaying matches 162,961 through 162,980.
Vuln ID Summary CVSS Severity
CVE-2014-7835

webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.

Published: November 24, 2014; 6:59:05 AM -0500
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2014-7834

mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Published: November 24, 2014; 6:59:04 AM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-7833

mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

Published: November 24, 2014; 6:59:03 AM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-7832

mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.

Published: November 24, 2014; 6:59:02 AM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-7831

lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

Published: November 24, 2014; 6:59:01 AM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-7830

Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter.

Published: November 24, 2014; 6:59:00 AM -0500
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2014-5326

Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: November 23, 2014; 9:59:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-5325

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published: November 23, 2014; 9:59:01 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-5314

Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

Published: November 23, 2014; 9:59:00 PM -0500
V3.x:(not available)
V2.0: 9.0 HIGH
CVE-2014-6477

Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4310, and CVE-2014-6547. NOTE: this issue was originally mapped to CVE-2014-4301, but CVE-2014-4301 is for an unrelated vulnerability.

Published: November 23, 2014; 2:59:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-8714

The dissect_write_structured_field function in epan/dissectors/packet-tn5250.c in the TN5250 dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.

Published: November 22, 2014; 9:59:05 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8713

Stack-based buffer overflow in the build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.

Published: November 22, 2014; 9:59:05 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8712

The build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

Published: November 22, 2014; 9:59:03 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8711

Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Published: November 22, 2014; 9:59:02 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8710

The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Published: November 22, 2014; 9:59:01 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8626

Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.

Published: November 22, 2014; 9:59:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-6183

IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

Published: November 22, 2014; 7:59:01 PM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-4807

Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Published: November 22, 2014; 7:59:00 PM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-8683

Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.

Published: November 21, 2014; 10:59:10 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-8682

Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.

Published: November 21, 2014; 10:59:09 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH