Search Results (Refine Search)
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2011-4104 |
The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. Published: October 26, 2014; 9:55:23 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2011-4103 |
emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. Published: October 26, 2014; 9:55:23 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2010-4820 |
Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055. Published: October 26, 2014; 9:55:23 PM -0400 |
V3.x:(not available) V2.0: 4.4 MEDIUM |
CVE-2014-6635 |
Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 allows remote attackers to inject arbitrary web script or HTML via the src parameter in the search action to index.php. Published: October 26, 2014; 4:55:03 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-5520 |
SQL injection vulnerability in XRMS CRM, possibly 1.99.2, allows remote attackers to execute arbitrary SQL commands via the user_id parameter to plugins/webform/new-form.php, which is not properly handled by plugins/useradmin/fingeruser.php. Published: October 26, 2014; 4:55:03 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-5148 |
Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process. Published: October 26, 2014; 4:55:03 PM -0400 |
V3.x:(not available) V2.0: 4.6 MEDIUM |
CVE-2014-3520 |
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. Published: October 26, 2014; 4:55:02 PM -0400 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2013-7408 |
F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable session cookie, which makes it easier for remote attackers to have unspecified impact by guessing the value. Published: October 26, 2014; 4:55:02 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-6796 |
The SMTP server in DeepOfix 3.3 and earlier allows remote attackers to bypass authentication via an empty password, which triggers an LDAP anonymous bind. Published: October 26, 2014; 4:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-6037 |
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072. Published: October 26, 2014; 3:55:04 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-6133 |
IBM API Management 3.x before 3.0.1.0 allows local users to obtain sensitive ciphertext information via unspecified vectors. Published: October 26, 2014; 2:55:05 PM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2014-6099 |
The Change Password feature in IBM Sterling B2B Integrator 5.2.x through 5.2.4 does not have a lockout protection mechanism for invalid login requests, which makes it easier for remote attackers to obtain admin access via a brute-force approach. Published: October 26, 2014; 2:55:05 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-4812 |
The installer in IBM Security AppScan Source 8.x and 9.x through 9.0.1 has an open network port for a debug service, which allows remote attackers to obtain sensitive information by connecting to this port. Published: October 26, 2014; 2:55:05 PM -0400 |
V3.x:(not available) V2.0: 1.8 LOW |
CVE-2014-2987 |
Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. NOTE: vector 2 can be used to execute arbitrary PHP code by leveraging CVE-2014-2988. Published: October 26, 2014; 2:55:04 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2013-1641 |
Directory traversal vulnerability in the zip download functionality in QuiXplorer before 2.5.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the selitems[] parameter in a download_selected action to index.php. Published: October 26, 2014; 1:55:04 PM -0400 |
V3.x:(not available) V2.0: 7.8 HIGH |
CVE-2014-3137 |
Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code. Published: October 25, 2014; 6:55:04 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-0476 |
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option. Published: October 25, 2014; 6:55:04 PM -0400 |
V3.x:(not available) V2.0: 3.7 LOW |
CVE-2013-4594 |
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment. Published: October 25, 2014; 6:55:01 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-5075 |
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Published: October 25, 2014; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-1929 |
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. Published: October 25, 2014; 5:55:03 PM -0400 |
V3.x:(not available) V2.0: 4.4 MEDIUM |