MEMPHIS COMPUTER REPAIR . COM

Networking - WiFi, Data Recovery, Web Design, SEO, Computer Repair and Support



 

Memphis Computer Repair brings you top quality technicians at unbeatable rates 24 hours a day, 7 days a week. Our highly trained and experienced staff will assist you with all of your information technology needs. We service business computers, residential computers, servers, workstations, desktop PCs, and laptops.

Computer Related Services

Our skilled staff has more to offer than merely computer repair services. We specialize in building and implementing residential and business computer networks. Securing your network is only a click away! Guarauntee the safety of your data by only allowing access to who you choose! Are you sure you need a new printer? Don't buy a new printer for every computer you own. Save money by networking your computers and your printer! Any printer can be used on a network, be it a residential network or a business network.

Memphis Computer Repair is always open for business. We service and repair all bands and models of computers including: Dell, Gateway, Compaq, Hewlett-Packard HP, IBM, and all custom built computers.

Our discounted computer repair rates will fit your budget.

We stand behind our work with a 100% satisfaction guarauntee!

With every computer we service we include a comprehensive and easily read reapir ticket to keep you informed on what has been done. We replace difficult computer lingo with understandable terms that you will understand. We never perform unnecessary work and we will ALWAYS inform you of the cost before any work is done!

Have you been blindsided by a computer repair company that charged you an outrageous amount for repairs you think you might not have needed? You will know the complete cost of any computer work done before the service is performed. If computer repair cost is out of your budget, we will not charge you for the estimate.

Servicing The Following Locations

Memphis, TN, Olive Branch, Southaven, Horn Lake, Hernando, Byhalia, Barton, Collierville, Cordova, Germantown, West Memphis, AR, Oakland, TN, Bartlett, Raleigh, Millington, Tunica, MS, and all areas of Shelby County Tennessee, DeSoto County Mississippi, and Marshall County Mississippi.

Have questions? Need help?

We would be glad to help you; simply contact us via our contact page, Contact Us.

*based on 33.6 Kilobits per second Internet connection speed

Valid CSS!

Open a Service Request/Repair Ticket or Call us @
901-515-8433
Name:
Address:
City: State:
Zip:Phone Number:
Email Address:
Computer Brand:
Computer Model:
Problem or Service Requested



US-CERT: The United States Computer Emergency Readiness Team


09/30/2014 08:17 PM
Apple Releases OS X bash Update 1.0
Original release date: September 30, 2014

Apple has released OS X bash Update 1.0 to address vulnerabilities found in the Bourne-again Shell (bash) which could allow a remote attacker to execute arbitrary shell commands.

US-CERT recommends users and administrators review Apple Security Update HT6495, TA14-268A, Vulnerability Note VU#252743 and the Redhat Security Article for additional details.


This product is provided subject to this Notification and this Privacy & Use policy.



09/29/2014 05:42 AM
SB14-272: Vulnerability Summary for the Week of September 22, 2014
Original release date: September 29, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
canonical -- acpi-supportThe Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."2014-09-227.2CVE-2014-0484
DEBIAN
SECUNIA
cisco -- iosCisco IOS 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, and 15.3 and IOS XE 2.x and 3.x before 3.7.4S; 3.2.xSE and 3.3.xSE before 3.3.2SE; 3.3.xSG and 3.4.xSG before 3.4.4SG; and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allow remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCui11547.2014-09-257.8CVE-2014-3354
CONFIRM
cisco -- ios_xeThe metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCug75942.2014-09-257.8CVE-2014-3355
CONFIRM
cisco -- ios_xeThe metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCue22753.2014-09-257.8CVE-2014-3356
CONFIRM
cisco -- iosCisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allow remote attackers to cause a denial of service (device reload) via malformed mDNS packets, aka Bug ID CSCul90866.2014-09-257.8CVE-2014-3357
CONFIRM
cisco -- iosMemory leak in Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allows remote attackers to cause a denial of service (memory consumption, and interface queue wedge or device reload) via malformed mDNS packets, aka Bug ID CSCuj58950.2014-09-257.8CVE-2014-3358
CONFIRM
cisco -- iosMemory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed DHCPv6 packets, aka Bug ID CSCum90081.2014-09-257.8CVE-2014-3359
CONFIRM
cisco -- iosCisco IOS 12.4 and 15.0 through 15.4 and IOS XE 3.1.xS, 3.2.xS, 3.3.xS, 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allow remote attackers to cause a denial of service (device reload) via a crafted SIP message, aka Bug ID CSCul46586.2014-09-257.8CVE-2014-3360
CONFIRM
cisco -- iosThe ALG module in Cisco IOS 15.0 through 15.4 does not properly implement SIP over NAT, which allows remote attackers to cause a denial of service (device reload) via multipart SDP IPv4 traffic, aka Bug ID CSCun54071.2014-09-257.1CVE-2014-3361
CONFIRM
cobham -- aviator_700dCobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.2014-09-227.2CVE-2014-2942
gnu -- bashGNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.2014-09-2410.0CVE-2014-6271
CERT
CERT-VN
CONFIRM
UBUNTU
DEBIAN
CISCO
REDHAT
REDHAT
REDHAT
MISC
gnu -- bashGNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.2014-09-2410.0CVE-2014-7169
CERT
CERT-VN
UBUNTU
UBUNTU
MLIST
DEBIAN
MISC
CISCO
REDHAT
MISC
google -- chromeMozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.2014-09-257.5CVE-2014-1568
CONFIRM
CONFIRM
CONFIRM
ibm -- bladecenter_1/10gIBM System Networking G8052, G8124, G8124-E, G8124-ER, G8264, G8316, and G8264-T switches before 7.9.10.0; EN4093, EN4093R, CN4093, SI4093, EN2092, and G8264CS switches before 7.8.6.0; Flex System Interconnect Fabric before 7.8.6.0; 1G L2-7 SLB switch for Bladecenter before 21.0.21.0; 10G VFSM for Bladecenter before 7.8.14.0; 1:10G switch for Bladecenter before 7.4.8.0; 1G switch for Bladecenter before 5.3.5.0; Server Connectivity Module before 1.1.3.4; System Networking RackSwitch G8332 before 7.7.17.0; and System Networking RackSwitch G8000 before 7.1.7.0 have hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.2014-09-2310.0CVE-2014-4752
infusionsoft_gravity_forms_project -- infusionsoft_gravity_formsThe Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.2014-09-267.5CVE-2014-6446
MISC
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
163 -- netease_movieThe netease movie (aka com.netease.movie) application 4.7.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6661
MISC
30a -- 30aThe 30A (aka com.app30a) application 5.26.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-265.4CVE-2014-6726
MISC
addisgag -- addis_gag_funny_amharic_picThe Addis Gag Funny Amharic Pic (aka com.wAmharicFunnyPicture) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6663
MISC
adobe -- acrobatCross-site scripting (XSS) vulnerability in the Help page in Adobe Acrobat 9.5.2 and earlier and ColdFusion 8.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-264.3CVE-2014-5315
JVNDB
CONFIRM
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.2014-09-206.8CVE-2014-0985
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.2014-09-206.8CVE-2014-0986
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.2014-09-206.8CVE-2014-0987
MISC
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.2014-09-206.8CVE-2014-0988
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.2014-09-206.8CVE-2014-0989
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter.2014-09-206.8CVE-2014-0990
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter.2014-09-206.8CVE-2014-0991
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter.2014-09-206.8CVE-2014-0992
alhazai -- leadership_newspapersThe Leadership Newspapers (aka com.LeadershipNewspapers) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6657
MISC
alibaba -- alibabaThe alibaba (aka com.alibaba.wireless) application 4.1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5976
MISC
anusthanokarehasya -- baglamukhiThe Baglamukhi (aka com.wshribaglamukhiblog) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6666
MISC
apploi -- apploi_job_search-_find_jobsThe Apploi Job Search- Find Jobs (aka com.apploi) application 4.19 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6658
MISC
autotrader.co.za -- auto_traderThe Auto Trader (aka za.co.autotrader.android.app) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5997
MISC
awesomewidgets -- rasta_weed_widgets_hdThe Rasta Weed Widgets HD (aka aw.awesomewidgets.rastaweed) application 4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6010
MISC
babybus -- babybusThe BabyBus (aka com.sinyee.babybus.concert.ru) application 3.91 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5970
MISC
babydays -- baby_daysThe baby days (aka jp.co.cyberagent.babydays) application 1.5.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5989
MISC
babygekko -- baby_gekkoMultiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some of these details are obtained from third party information.2014-09-224.3CVE-2012-5700
MISC
XF
BID
EXPLOIT-DB
SECUNIA
batch -- batch_libraryThe Batch library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6645
MISC
belasfrasesdeamor -- belas_frases_de_amorThe Belas Frases de Amor (aka com.goodbarber.frasesdeamor) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6003
MISC
bellyhoodcom_project -- bellyhoodcomThe bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6646
MISC
blogkamek -- koleksi_hadis_nabi_sawThe Koleksi Hadis Nabi SAW (aka com.wKoleksiHadisNabiSAW) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6660
MISC
bookjam -- cookbibleThe cookbible (aka net.bookjam.cookbible) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5990
MISC
bump_project -- bumpThe Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.2014-09-215.0CVE-2014-5320
JVNDB
celluloidapp -- celluloidThe Celluloid (aka com.eurisko.celluloid) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6016
MISC
chatbox -- chatbox_-_chat_roomsThe ChatBox - Chat Rooms (aka com.droidchatroom.messengerapp) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5958
MISC
cisco -- cisco_nexus_1000v_intercloudCross-site scripting (XSS) vulnerability in the vCloud Director component in Cisco Nexus 1000V InterCloud for VMware allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq90524.2014-09-204.3CVE-2014-3367
cisco -- ios_xrCisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031.2014-09-205.0CVE-2014-3376
cisco -- ios_xrsnmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791.2014-09-204.0CVE-2014-3377
cisco -- ios_xrtacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468.2014-09-205.0CVE-2014-3378
cisco -- network_convergence_system_6000Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466.2014-09-206.1CVE-2014-3379
cisco -- unified_communications_domain_manager_platformCisco Unified Communications Domain Manager Platform Software 4.4(.3) and earlier allows remote attackers to cause a denial of service (CPU consumption) by sending crafted TCP packets quickly, aka Bug ID CSCuo42063.2014-09-235.0CVE-2014-3380
clearfishing -- pesca_de_carpa_liteThe Pesca de Carpa Lite (aka com.clearfishing.pescadecarpa.lite) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-265.4CVE-2014-6720
MISC
corntree -- halieuticsThe Halieutics (aka com.corn.Halieutics) application 21.40.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5963
MISC
d-bus_project -- d-busOff-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.2014-09-226.8CVE-2014-3635
MLIST
DEBIAN
SECUNIA
decoracionesnailart -- designs_nail_artsThe Designs Nail Arts (aka com.decoracionesnailart.flickr) application 3.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5967
MISC
defence -- defence.pkThe Defence.pk (aka com.tapatalk.defencepkforums) application 2.4.13.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6659
MISC
ding -- ding_ezetop._top-up_any_phoneThe ding* ezetop. Top-up Any Phone (aka com.ezetop.world) application 1.3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5994
MISC
dnb -- dnb_tradeThe DNB Trade (aka lt.dnb.mobiletrade) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6640
MISC
dotclear -- dotclearCross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.2014-09-214.3CVE-2014-5316
JVNDB
drar-eym -- drareymThe drareym (aka com.drareym) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6656
MISC
dteenergy -- dte_energyThe DTE Energy (aka com.dteenergy.mydte) application 3.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6002
MISC
ericpol -- ewus_mobileThe eWUS mobile (aka pl.dreryk.ewustest) application 1.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5995
MISC
eset -- endpoint_securityThe ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.2014-09-236.9CVE-2014-4973
MISC
FULLDISC
exoticpetnetwork -- tortoise_forumThe Tortoise Forum (aka org.tortoiseforum.android.forumrunner) application 3.5.16 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6655
MISC
fiatforum -- fiat_forumThe FIAT Forum (aka com.tapatalk.fiatforumcom) application 3.8.41 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6643
MISC
fiksu -- fiksu_libraryThe Fiksu library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5971
MISC
filemaker -- filemaker_proFileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319.2014-09-215.8CVE-2014-5321
JVNDB
filemaker -- filemaker_proCross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.2014-09-214.3CVE-2014-5322
JVNDB
formnage -- cutpriceThe cutprice (aka kr.co.wedoit.cutprice) application 1.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6011
MISC
freshdirect -- freshdirectThe FreshDirect (aka com.freshdirect.android) application 2.7.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6000
MISC
friendcasterapp -- friendcasterThe Friendcaster (aka uk.co.senab.blueNotifyFree) application 5.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6672
MISC
fuelrewards -- fuel_rewards_networkThe Fuel Rewards Network (aka com.excentus.frn) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6020
MISC
gamelikeapps -- guess_the_actorThe Guess The Actor (aka com.gamelikeinc.actors) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5962
MISC
gcspublishing -- homesteading_todayThe Homesteading Today (aka com.tapatalk.homesteadingtodaycom) application 3.7.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6641
MISC
gebrauchtwagenreport -- dekra_used_car_reportThe DEKRA Used Car Report (aka com.dekra.maengelreport) application 3.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5996
MISC
genertel -- genertelThe Genertel (aka com.genertel) application 2.6.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5980
MISC
geniuscloud -- smart_browserThe Smart Browser (aka smartbrowser.geniuscloud) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5809
MISC
getjar -- azkend_goldThe Azkend Gold (aka com.the10tons.azkend.gold) application 1.2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5988
MISC
gewara -- gewaraThe gewara (aka com.gewara) application 5.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6001
MISC
global_beauty_research_project -- global_beauty_researchThe global beauty research (aka com.appems.topgirl) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6018
MISC
golauncher -- dreamland_super_theme_go_goldThe Dreamland Super Theme GO Gold (aka com.gau.go.launcherex.viptheme.dreamland.gold) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5966
MISC
grabapp -- eponymsThe eponyms (aka com.anddeveloper.eponyms) application 3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5975
MISC
gratta_&_vinci?_project -- gratta_&_vinci?The Gratta & Vinci? (aka com.dreamstep.wGrattaevinci) application 0.21.13167.93474 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6006
MISC
groovemusic_project -- groovemusicThe GrooveMusic (aka com.mobincube.android.sc_2HKFF) application 2.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5965
MISC
h-dvisa -- harley-davidson_visaThe Harley-Davidson Visa (aka com.usbank.icsmobile.harleydavidson) application 1.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6021
MISC
hdcar -- russiananimeThe russiananime (aka com.rareartifact.russiananime68A5CCFE) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5961
MISC
hdcar -- exercitii_pentru_abdomenThe Exercitii pentru abdomen (aka com.rareartifact.exercitiipentruabdomen41E29322) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6676
MISC
healthylifestyle_project -- healthylifestyleThe healthylifestyle (aka com.alek.healthylifestyle) application 1.2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5969
MISC
huge-it -- image_gallerySQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.2014-09-226.5CVE-2014-7153
MISC
ibm -- rational_clearcaseIBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.2014-09-235.0CVE-2014-3090
XF
ibm -- rational_clearcaseThe login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.2014-09-235.0CVE-2014-3101
XF
ibm -- rational_clearcaseThe Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.2014-09-235.0CVE-2014-3103
XF
ibm -- rational_clearcaseIBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.2014-09-235.0CVE-2014-3104
XF
ibm -- rational_clearcaseThe OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names via a series of requests.2014-09-235.0CVE-2014-3105
XF
ibm -- rational_clearcaseIBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not properly implement the Local Access Only protection mechanism, which allows remote attackers to bypass authentication and read files via the Help Server Administration feature.2014-09-235.0CVE-2014-3106
XF
ibm -- websphere_application_serverCross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-09-236.0CVE-2014-4816
XF
igolf -- igolf_-_golf_gpsThe iGolf - Golf GPS (aka com.igolf) application 20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5968
MISC
ingen-studios -- conquest_of_fantasiaThe Conquest Of Fantasia (aka air.com.ingen.studios.cof.sg) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6014
MISC
iphone4 -- iphone4.twThe iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6648
MISC
ipposan -- memetanThe memetan (aka memetan.android.com.activity) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5978
MISC
jig -- jigbrowser+The jigbrowser+ application 1.8.1 and earlier for iOS allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.2014-09-265.8CVE-2014-5318
CONFIRM
JVNDB
JVN
kbv -- federal_doctorsThe BundesArztsuche (aka de.kbv.bas) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5960
MISC
krstarica -- forum_krstariceThe Forum Krstarice (aka com.tapatalk.forumkrstaricacom) application 3.5.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6662
MISC
lazyer -- doodle_dropThe Doodle Drop (aka net.lazyer.DoodleDrop) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6017
MISC
letshare -- world_cup_2014_brazil_-_xem_tvThe World Cup 2014 Brazil - Xem TV (aka vn.letshare.football.worldcup) application 2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6671
MISC
likeheroapp -- likehero_get_instagram_likesThe LikeHero Get Instagram Likes (aka com.fraoula.likehero) application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6007
MISC
loving.fm -- loving_-_couple_essentiaThe Loving - Couple Essential (aka com.xiaoenai.app) application 4.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5972
MISC
marksdailyapple -- mark's_daily_apple_forumThe Mark's Daily Apple Forum (aka com.tapatalk.marksdailyapplecomforum) application 2.4.9.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6642
MISC
megabank -- megabankThe MegaBank (aka com.megabank.mobilebank) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5964
MISC
microsoft -- nokia_asha_501_softwareMicrosoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.2014-09-216.6CVE-2014-6602
MISC
mobile_face_project -- mobile_faceThe Mobile Face (aka com.wFacemobile) application 0.74.13432.91159 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5977
MISC
mol -- mol_bringapontThe MOL bringaPONT (aka hu.mol.bringapont) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6684
MISC
moweather -- moweatherThe MoWeather (aka com.moji.moweather) application 1.40.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5981
MISC
mr384_project -- mzone_loginThe Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5665
MISC
mybroadband -- mybroadband_tapatalkThe MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6649
MISC
mytx -- tx_smartThe tx Smart (aka com.wooriwm.txsmart) application 7.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5959
MISC
najeebmedia -- n-media_file_uploaderUnrestricted file upload vulnerability in the N-Media file uploader plugin before 3.4 for WordPress allows remote authenticated users to execute arbitrary PHP code by leveraging Author privileges to store a file.2014-09-266.5CVE-2014-5324
JVNDB
JVN
nana_project -- african_radios_liveThe African Radios Live (aka com.nana.africanradioslive) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6668
MISC
netjapan -- tsushima_travel_guideThe Tsushima Travel Guide (aka com.netjapan.ntsushima) application 1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6685
MISC
nextgenupdate -- nextgenupdateThe NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6650
MISC
nuphoto -- nusquareThe nuSquare (aka tw.com.nuphoto.nusquare) application 1.0.78 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6013
MISC
openelectrical -- open_electrical_webserThe Open Electrical Webser (aka com.wOpenElectricalWeb) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6683
MISC
planetofthevapes -- planet_of_the_vapes_forumThe Planet of the Vapes Forum (aka com.tapatalk.planetofthevapescoukforums) application 3.7.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6651
MISC
playcomo -- little_dragonsThe Little Dragons (aka com.playcomo.dragongame) application 1.0.256 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5984
MISC
pocket_cam_photo_editor_project -- pocket_cam_photo_editorThe Pocket Cam Photo Editor (aka mobi.pocketcam.editor) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6004
MISC
pocketmags -- inside_crochetThe Inside Crochet (aka com.magazinecloner.insidecrochet) application @7F08017A for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6669
MISC
praninc -- facebook_factsThe Facebook Facts (aka com.wFacebookFacts) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6637
MISC
preplaysports -- mlb_preplayThe MLB Preplay (aka com.preplay.android.mlb) application 5.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5993
MISC
psecu -- psecu_mobile+The PSECU Mobile+ (aka com.Vertifi.Mobile.P231381116) application 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5974
MISC
psychology_project -- psychologyThe psychology (aka com.alek.psychology) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6019
MISC
puzzles_and_matchup_games_project -- educational_puzzles_-_lettersThe Educational Puzzles - Letters (aka com.EducationalPuzzlesLetters) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5986
MISC
quranedu -- ahmed_bukhatir_nasheeds_tvThe Ahmed Bukhatir Nasheeds TV (aka com.wAhmedBukhatirApp) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6665
MISC
redhat -- network_satelliteCross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.2014-09-224.3CVE-2014-3595
SECUNIA
rsupport -- lg_telepresenceThe LG Telepresence (aka com.rsupport.rtc.lge) application 2.0.12 Build 63 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6636
MISC
runkeeper -- runkeeper_-_gps_track_run_walkThe RunKeeper - GPS Track Run Walk (aka com.fitnesskeeper.runkeeper.pro) application 4.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5982
MISC
rutaexacta -- ruta_exactaThe Ruta Exacta (aka com.rutaexacta.m) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6675
MISC
s-peek -- s-peek_credit_rating_reportThe s-peek credit rating report (aka com.rhomobile.speek) application 2.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6023
MISC
santiagosarceda -- elforro.comThe ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6647
MISC
secondfiction -- blitz_bingoThe Blitz Bingo (aka com.appMobi.sbbingo.app) application 2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6008
MISC
singaporemotherhood -- singaporemotherhood_forumThe SingaporeMotherhood Forum (aka com.tapatalk.singaporemotherhoodcomforum) application 3.6.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6670
MISC
skin_conditions_and_diseases_project -- skin_conditions_and_diseasesThe Skin Conditions and Diseases (aka com.appsgeyser.wSkinConditions) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5991
MISC
skydrive_assistant_project -- skydrive_assistantThe SkyDrive Assistant (aka com.dhh.sky) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5998
MISC
socialknowledge -- aquarium_adviceThe Aquarium Advice (aka com.socialknowledge.aquariumadvice) application 3.7.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5973
MISC
sos -- jobschedulerXML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.2014-09-235.8CVE-2014-5392
CONFIRM
successsecrets -- successsecrets_projectThe successsecrets (aka com.alek.successsecrets) application 1.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5992
MISC
survey.com -- survey.com_mobileThe Survey.com Mobile (aka com.survey.android) application 3.2.16 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6005
MISC
telenavsoftware -- autonaviThe autonavi (aka com.telenav.doudouyou.android.autonavi) application 4.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5999
MISC
threadflip -- threadflip_:_buy,_sell_fashionThe Threadflip : Buy, Sell Fashion (aka com.threadflip.android) application 1.1.11 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5983
MISC
three -- my3The My3 - by 3HK (aka com.my3) application @7F0A0001 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5987
CERT-VN
MISC
ticketroundup -- ticket_round_upThe Ticket Round Up (aka com.xcr.android.ticketroundupapp) application 3.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6677
MISC
tiomobilepay -- tio_mobilepay_-_bill_paymentsThe TIO MobilePay - Bill Payments (aka com.tionetworks.mobile.android.tioclient) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6639
MISC
toddm -- gravity_bounceThe Gravity Bounce (aka net.toddm.gb) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6012
MISC
topappsbuilder_project -- animal_kaiser_zangetsuThe Animal Kaiser Zangetsu (aka com.wAnimalKaiserZangetsu) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5985
MISC
tucarro -- tucarroThe TuCarro (aka com.tucarro) application 2.0.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6015
MISC
tvbengali -- tv_bengali_open_directoryThe TV Bengali Open Directory (aka com.TVBengali) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5979
MISC
versentbooks -- versent_booksThe Versent Books (aka com.versentbooks) application 1.1.99 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6022
MISC
wireshark -- wiresharkUse-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors.2014-09-205.0CVE-2014-6421
CONFIRM
CONFIRM
wireshark -- wiresharkThe SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector.2014-09-205.0CVE-2014-6422
CONFIRM
CONFIRM
wireshark -- wiresharkThe tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line.2014-09-205.0CVE-2014-6423
CONFIRM
CONFIRM
wireshark -- wiresharkThe dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet.2014-09-205.0CVE-2014-6424
CONFIRM
CONFIRM
wireshark -- wiresharkThe (1) get_quoted_string and (2) get_unquoted_string functions in epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark 1.12.x before 1.12.1 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a CUPS packet that lacks a trailing '\0' character.2014-09-205.0CVE-2014-6425
CONFIRM
CONFIRM
wireshark -- wiresharkThe dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HIP dissector in Wireshark 1.12.x before 1.12.1 does not properly handle a NULL tree, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.2014-09-205.0CVE-2014-6426
CONFIRM
wireshark -- wiresharkOff-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position.2014-09-205.0CVE-2014-6427
CONFIRM
CONFIRM
wireshark -- wiresharkThe dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2014-09-205.0CVE-2014-6428
CONFIRM
CONFIRM
wireshark -- wiresharkThe SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6429
CONFIRM
CONFIRM
wireshark -- wiresharkThe SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6430
CONFIRM
CONFIRM
wireshark -- wiresharkBuffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer.2014-09-205.0CVE-2014-6431
CONFIRM
CONFIRM
wireshark -- wiresharkThe SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6432
CONFIRM
CONFIRM
wizaz -- wizaz_forumThe Wizaz Forum (aka com.tapatalk.wizazplforum) application 3.6.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6652
MISC
wordbox -- algeria_radioThe Algeria Radio (aka com.wordbox.algeriaRadio) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6678
MISC
wordbox -- mahabharata_audiocastThe Mahabharata Audiocast (aka com.wordbox.mahabharataAudiocast) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6681
MISC
wordboxapps -- afghan_radioThe Afghan Radio (aka com.wordbox.afghanRadio) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6653
MISC
wtmdesktop_project -- wtmdesktopThe wTMDesktop (aka com.wTMDesktop) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6638
MISC
wtrootrootvizle_project -- wtrootrootvizleThe wTrootrooTvIzle (aka com.wTrootrooTvIzle) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6654
MISC
zombie_detector_project -- zombie_detectorThe Zombie Detector (aka com.jimmybolstad.zombiedetector) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6009
MISC
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
d-bus_project -- d-busD-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.2014-09-222.1CVE-2014-3637
MLIST
DEBIAN
SECUNIA
d-bus_project -- d-busThe bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.2014-09-222.1CVE-2014-3638
MLIST
DEBIAN
SECUNIA
d-bus_project -- d-busThe dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.2014-09-222.1CVE-2014-3639
MLIST
DEBIAN
SECUNIA
ibm -- websphere_application_serverCross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated administrators to inject arbitrary web script or HTML via a crafted URL.2014-09-233.5CVE-2014-4770
XF
ibm -- curam_social_program_managementCross-site scripting (XSS) vulnerability in IBM Curam Social Program Management (SPM) 6.0.4 before 6.0.4.5 iFix7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2014-09-233.5CVE-2014-6091
Back to top


This product is provided subject to this Notification and this Privacy & Use policy.



09/25/2014 11:56 AM
TA14-268A: GNU Bourne-Again Shell (Bash) Shellshock Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278)
Original release date: September 25, 2014 | Last revised: September 30, 2014

Systems Affected

  • GNU Bash through 4.3.
  • Linux and Mac OS X systems, on which Bash is part of the base operating system.
  • Any BSD or UNIX system on which GNU Bash has been installed as an add-on.
  • Any UNIX-like operating system on which the /bin/sh interface is implemented as GNU Bash.

Overview

A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apples Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4, 5]

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
  • Allow arbitrary commands to run on a DHCP client machine.

Impact

This vulnerability is classified by industry standards as High impact with CVSS Impact Subscore 10 and Low on complexity, which means it takes little skill to perform. This flaw allows attackerswho canprovide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.

Solution

Initial solutions for Shellshock do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278. Red Hat has provided a support article [6] with updated information.

Many UNIX-like operating systems,including Linux distributions and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [7].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summaries for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 to mitigate damage caused by the exploit.

References

Revision History

  • September 25, 2014 - Initial Release
  • September 26, 2014 - Minor Revisions
  • September 30, 2014 - Update to include additional CVE information

This product is provided subject to this Notification and this Privacy & Use policy.



09/24/2014 05:06 PM
Bourne-Again Shell (Bash) Remote Code Execution Vulnerability
Original release date: September 24, 2014 | Last revised: September 30, 2014

US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.

US-CERT recommends users and administrators reviewTA14-268A,Vulnerability Note VU#252743and the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. A GNU Bash patch is also available for experienced users and administrators to implement.


This product is provided subject to this Notification and this Privacy & Use policy.



09/24/2014 03:32 PM
Mozilla Network Security Services (NSS) Library Vulnerability
Original release date: September 24, 2014

A vulnerability in the Mozilla NSS library could allow an attacker to forge an RSA signature, such as an SSL certificate. The package is often included in 3rd party software, including Linux distributions, Google Chrome, and others. It is possible that other cryptographic libraries may be similarly affected.

US-CERT recommends users and administrators review Vulnerability Note VU#772676, Mozilla Foundation Security Advisory 2014-73, and Google Stable Channel Update Blog for additional information and mitigation details.


This product is provided subject to this Notification and this Privacy & Use policy.



09/22/2014 05:59 AM
SB14-265: Vulnerability Summary for the Week of September 15, 2014
Original release date: September 22, 2014 | Last revised: September 23, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
adobe -- acrobat
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors.2014-09-1710.0CVE-2014-0560
adobe -- acrobat
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567.2014-09-1710.0CVE-2014-0561
adobe -- acrobat
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors.2014-09-177.8CVE-2014-0563
adobe -- acrobat
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566.2014-09-1710.0CVE-2014-0565
adobe -- acrobat
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0565.2014-09-1710.0CVE-2014-0566
adobe -- acrobat
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0561.2014-09-1710.0CVE-2014-0567
adobe -- acrobat
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context, via unspecified vectors.2014-09-1710.0CVE-2014-0568
apple -- apple_tv
The IOAcceleratorFamily API implementation in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device crash) via an application that uses crafted arguments.2014-09-187.8CVE-2014-4369
APPLE
APPLE
apple -- apple_tv
The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted application.2014-09-187.8CVE-2014-4373
APPLE
APPLE
apple -- apple_tv
Double free vulnerability in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (device crash) via vectors related to Mach ports.2014-09-187.2CVE-2014-4375
APPLE
APPLE
apple -- mac_os_x
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.2014-09-1910.0CVE-2014-4376
apple -- apple_tv
An unspecified IOHIDFamily function in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking to prevent reading of kernel pointers, which allows attackers to bypass the ASLR protection mechanism via a crafted application.2014-09-187.1CVE-2014-4379
APPLE
APPLE
apple -- apple_tv
The IOHIDFamily kernel extension in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code in the kernel's context via a crafted application.2014-09-189.3CVE-2014-4380
APPLE
APPLE
apple -- apple_tv
Libnotify in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code as root via a crafted application.2014-09-189.3CVE-2014-4381
APPLE
APPLE
apple -- apple_tv
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4418.2014-09-189.3CVE-2014-4388
APPLE
APPLE
apple -- apple_tv
Integer overflow in IOKit in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted API arguments.2014-09-189.3CVE-2014-4389
APPLE
APPLE
apple -- mac_os_x
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.2014-09-199.3CVE-2014-4390
apple -- mac_os_x
Buffer overflow in the shader compiler in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GLSL shader.2014-09-1910.0CVE-2014-4393
apple -- mac_os_x
An unspecified IOAcceleratorFamily function in Apple OS X before 10.9.5 lacks proper bounds checking on read operations, which allows attackers to execute arbitrary code in a privileged context via a crafted application.2014-09-199.3CVE-2014-4402
apple -- apple_tv
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.2014-09-189.3CVE-2014-4404
APPLE
APPLE
apple -- apple_tv
IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted key-mapping properties.2014-09-189.3CVE-2014-4405
APPLE
APPLE
apple -- apple_tv
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4388.2014-09-189.3CVE-2014-4418
APPLE
APPLE
apple -- os_x_server
SQL injection vulnerability in Wiki Server in CoreCollaboration in Apple OS X Server before 2.2.3 and 3.x before 3.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2014-09-197.5CVE-2014-4424
ecava -- integraxor
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.2014-09-159.0CVE-2014-2375
ecava -- integraxor
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2014-09-157.5CVE-2014-2376
emc -- documentum_content_server
EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subtypes of protected system types, which allows remote authenticated users to obtain super-user privileges for system-object creation, and bypass intended restrictions on data access and server actions, via unspecified vectors.2014-09-178.5CVE-2014-4621
BUGTRAQ
emc -- documentum_content_server
EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors.2014-09-177.1CVE-2014-4622
BUGTRAQ
microsoft -- office
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."2014-09-199.3CVE-2006-1318
mpay24_project -- mpay24
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.2014-09-127.5CVE-2014-2008
XF
OSVDB
mpexsolutions -- mx-smartimer
SQL injection vulnerability in Login.aspx in MPEX Business Solutions MX-SmartTimer before 13.19.18 allows remote attackers to execute arbitrary SQL commands via the ct100%24CPHContent%24password parameter.2014-09-127.5CVE-2014-5440
XF
FULLDISC
MISC
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
adobe -- acrobat
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."2014-09-174.3CVE-2014-0562
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.2014-09-206.8CVE-2014-0985
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.2014-09-206.8CVE-2014-0986
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.2014-09-206.8CVE-2014-0987
MISC
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.2014-09-206.8CVE-2014-0988
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.2014-09-206.8CVE-2014-0989
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter.2014-09-206.8CVE-2014-0990
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter.2014-09-206.8CVE-2014-0991
advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter.2014-09-206.8CVE-2014-0992
apple -- mac_os_x
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.2014-09-196.8CVE-2014-1391
apple -- mac_os_x
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.2014-09-196.8CVE-2014-4350
apple -- iphone_os
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.2014-09-184.3CVE-2014-4353
APPLE
apple -- iphone_os
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.2014-09-185.8CVE-2014-4354
APPLE
apple -- iphone_os
The Home & Lock Screen subsystem in Apple iOS before 8 does not properly restrict the private API for app prominence, which allows attackers to determine the frontmost app by leveraging access to a crafted background app.2014-09-185.0CVE-2014-4361
APPLE
apple -- iphone_os
The Sandbox Profiles implementation in Apple iOS before 8 does not properly restrict the third-party app sandbox profile, which allows attackers to obtain sensitive Apple ID information via a crafted app.2014-09-185.0CVE-2014-4362
APPLE
apple -- iphone_os
Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which allows remote attackers to obtain sensitive information via (1) an http web site, (2) an https web site with an unacceptable X.509 certificate, or (3) an IFRAME element.2014-09-185.0CVE-2014-4363
APPLE
apple -- apple_tv
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash.2014-09-184.3CVE-2014-4364
APPLE
APPLE
apple -- iphone_os
Mail in Apple iOS before 8 does not prevent sending a LOGIN command to a LOGINDISABLED IMAP server, which allows remote attackers to obtain sensitive cleartext information by sniffing the network.2014-09-185.0CVE-2014-4366
APPLE
apple -- iphone_os
The Accessibility subsystem in Apple iOS before 8 allows attackers to interfere with screen locking via vectors related to AssistiveTouch events.2014-09-186.9CVE-2014-4368
APPLE
apple -- iphone_os
NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2014-09-185.0CVE-2014-4374
APPLE
apple -- apple_tv
Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.2014-09-186.8CVE-2014-4377
APPLE
APPLE
apple -- apple_tv
CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document.2014-09-185.8CVE-2014-4378
APPLE
APPLE
apple -- apple_tv
The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device's update status via a crafted Last-Modified HTTP response header.2014-09-184.3CVE-2014-4383
APPLE
APPLE
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.2014-09-196.9CVE-2014-4394
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.2014-09-196.9CVE-2014-4395
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.2014-09-196.9CVE-2014-4396
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.2014-09-196.9CVE-2014-4397
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.2014-09-196.9CVE-2014-4398
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416.2014-09-196.9CVE-2014-4399
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4401, and CVE-2014-4416.2014-09-196.9CVE-2014-4400
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4416.2014-09-196.9CVE-2014-4401
apple -- os_x_server
Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-194.3CVE-2014-4406
apple -- apple_tv
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls.2014-09-184.3CVE-2014-4407
APPLE
APPLE
apple -- apple_tv
The rt_setgate function in the kernel in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (out-of-bounds read and device crash) via a crafted call.2014-09-186.9CVE-2014-4408
APPLE
APPLE
apple -- iphone_os
WebKit in Apple iOS before 8 makes it easier for remote attackers to track users during private browsing via a crafted web site that reads HTML5 application-cache data that had been stored during normal browsing.2014-09-184.3CVE-2014-4409
APPLE
apple -- apple_tv
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.2014-09-186.8CVE-2014-4410
APPLE
APPLE
apple -- apple_tv
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.2014-09-186.8CVE-2014-4411
APPLE
APPLE
apple -- apple_tv
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.2014-09-186.8CVE-2014-4412
APPLE
APPLE
apple -- apple_tv
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.2014-09-186.8CVE-2014-4413
APPLE
APPLE
apple -- apple_tv
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.2014-09-186.8CVE-2014-4414
APPLE
APPLE
apple -- apple_tv
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.2014-09-186.8CVE-2014-4415
APPLE
APPLE
apple -- mac_os_x
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4401.2014-09-196.9CVE-2014-4416
apple -- apple_tv
The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, which allows attackers to bypass certain kernel-hardening protection mechanisms by using a user-space process to observe data related to the random numbers.2014-09-186.8CVE-2014-4422
APPLE
APPLE
apple -- iphone_os
The Accounts subsystem in Apple iOS before 8 allows attackers to bypass a sandbox protection mechanism and obtain an active iCloud account's Apple ID and metadata via a crafted application.2014-09-184.3CVE-2014-4423
APPLE
blackcat-cms -- blackcat_cms
Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.2014-09-124.3CVE-2014-5259
MISC
XF
BUGTRAQ
MISC
ecava -- integraxor
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.2014-09-155.0CVE-2014-2377
embarcadero -- embarcadero_c++builder_xe6
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.2014-09-156.8CVE-2014-0993
MISC
episerver -- episerver
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2014-09-174.3CVE-2012-1032
XF
BID
SECUNIA
OSVDB
facebook -- facebook
Cross-site scripting (XSS) vulnerability in the Facebook app 14.0 and the Facebook Messenger app 10.0 for iOS allows remote attackers to inject arbitrary web script or HTML via a crafted filename extension that is improperly handled during MIME sniffing of chat traffic.2014-09-154.3CVE-2014-6392
FULLDISC
fatfreecrm -- fat_free_crm
Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) create or (b) edit user action.2014-09-124.3CVE-2014-5441
CONFIRM
MISC
ibm -- integration_bus
The web user interface in IBM WebSphere Message Broker 8.0 before 8.0.0.6 and IBM Integration Bus 9.0 before 9.0.0.3 allows remote authenticated users to obtain sensitive information by reading the error page.2014-09-184.0CVE-2014-4819
XF
ibm -- integration_bus_manufacturing_pack
Cross-site scripting (XSS) vulnerability in IBM Integration Bus Manufacturing Pack 1.x before 1.0.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-184.3CVE-2014-4820
XF
ibm -- qradar_security_information_and_event_manager
SQL injection vulnerability in IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.2014-09-186.5CVE-2014-4824
XF
ibm -- qradar_security_information_and_event_manager
IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 does not properly handle SSH connections, which allows remote attackers to obtain sensitive cleartext information by sniffing the network.2014-09-184.3CVE-2014-4826
XF
mailenable -- mailenable
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.2014-09-194.3CVE-2012-2588
XF
BID
EXPLOIT-DB
SECUNIA
OSVDB
mini_mail_dashboard_widget_project -- mini_mail_dashboard_widget
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.2014-09-174.3CVE-2012-2583
XF
BID
EXPLOIT-DB
OSVDB
moodle -- moodle
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum.2014-09-154.0CVE-2014-3617
MLIST
CONFIRM
mpay24_project -- mpay24
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.2014-09-125.0CVE-2014-2009
XF
EXPLOIT-DB
FULLDISC
MISC
OSVDB
mywebsql -- mywebsql
Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php.2014-09-124.3CVE-2014-4735
MISC
XF
BUGTRAQ
MISC
nongnu -- gksu
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during installation of a VirtualBox extension pack.2014-09-186.8CVE-2014-2886
MISC
MISC
MISC
open-xchange -- open-xchange_appsuite
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name.2014-09-174.3CVE-2014-5234
BID
BUGTRAQ
SECUNIA
MISC
open-xchange -- open-xchange_appsuite
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds.2014-09-174.3CVE-2014-5235
BID
BUGTRAQ
SECUNIA
MISC
orangehrm -- orangehrm
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information.2014-09-176.5CVE-2012-1506
MISC
XF
BID
SECUNIA
OSVDB
orangehrm -- orangehrm
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.2014-09-174.3CVE-2012-1507
MISC
XF
BID
SECUNIA
OSVDB
OSVDB
OSVDB
phorum -- phorum
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.2014-09-194.3CVE-2012-6659
SECUNIA
php365 -- 365_links
Cross-site scripting (XSS) vulnerability in php365.com 365 Links 3.11 and earlier, 365 Links2 3.11 and earlier, 365 Links+ 2.10 and earlier, and 365 Links2+ 2.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-184.3CVE-2014-5317
CONFIRM
JVNDB
powerdns -- powerdns_recursor
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.2014-09-195.0CVE-2014-3614
XF
SECUNIA
CONFIRM
schneider-electric -- vampset
Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file.2014-09-154.4CVE-2014-5407
schneider-electric -- clearscada
Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account.2014-09-185.0CVE-2014-5412
schneider-electric -- clearscada
Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 uses the MD5 algorithm for an X.509 certificate, which makes it easier for remote attackers to spoof servers via a cryptographic attack against this algorithm.2014-09-185.0CVE-2014-5413
spiceworks -- spiceworks
SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is for the XSS.2014-09-176.5CVE-2012-2956
XF
BID
EXPLOIT-DB
OSVDB
spiceworks -- spiceworks
Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types.2014-09-174.3CVE-2012-6658
EXPLOIT-DB
SECUNIA
OSVDB
synology -- diskstation_manager
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.2014-09-124.3CVE-2012-1556
XF
BID
SECUNIA
OSVDB
BUGTRAQ
vmware -- nsx
VMware NSX 6.0 before 6.0.6, and vCloud Networking and Security (vCNS) 5.1 before 5.1.4.2 and 5.5 before 5.5.3, does not properly validate input, which allows attackers to obtain sensitive information via unspecified vectors.2014-09-155.0CVE-2014-3796
wireshark -- wireshark
Use-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors.2014-09-205.0CVE-2014-6421
CONFIRM
CONFIRM
wireshark -- wireshark
The SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector.2014-09-205.0CVE-2014-6422
CONFIRM
CONFIRM
wireshark -- wireshark
The tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line.2014-09-205.0CVE-2014-6423
CONFIRM
CONFIRM
wireshark -- wireshark
The dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet.2014-09-205.0CVE-2014-6424
CONFIRM
CONFIRM
wireshark -- wireshark
The (1) get_quoted_string and (2) get_unquoted_string functions in epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark 1.12.x before 1.12.1 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a CUPS packet that lacks a trailing '\0' character.2014-09-205.0CVE-2014-6425
CONFIRM
CONFIRM
wireshark -- wireshark
The dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HIP dissector in Wireshark 1.12.x before 1.12.1 does not properly handle a NULL tree, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.2014-09-205.0CVE-2014-6426
CONFIRM
wireshark -- wireshark
Off-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position.2014-09-205.0CVE-2014-6427
CONFIRM
CONFIRM
wireshark -- wireshark
The dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2014-09-205.0CVE-2014-6428
CONFIRM
CONFIRM
wireshark -- wireshark
The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6429
CONFIRM
CONFIRM
wireshark -- wireshark
The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6430
CONFIRM
CONFIRM
wireshark -- wireshark
Buffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer.2014-09-205.0CVE-2014-6431
CONFIRM
CONFIRM
wireshark -- wireshark
The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6432
CONFIRM
CONFIRM
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apple -- iphone_os
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.2014-09-182.1CVE-2014-4352
APPLE
apple -- iphone_os
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.2014-09-182.1CVE-2014-4356
APPLE
apple -- apple_tv
Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log.2014-09-182.1CVE-2014-4357
APPLE
APPLE
apple -- iphone_os
Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physically proximate attackers to launch unintended calls by speaking a telephone number.2014-09-182.1CVE-2014-4367
APPLE
apple -- apple_tv
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4419, CVE-2014-4420, and CVE-2014-4421.2014-09-181.9CVE-2014-4371
APPLE
APPLE
apple -- apple_tv
syslogd in the syslog subsystem in Apple iOS before 8 and Apple TV before 7 allows local users to change the permissions of arbitrary files via a symlink attack on an unspecified file.2014-09-183.6CVE-2014-4372
APPLE
APPLE
apple -- iphone_os
Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local users to install unverified apps by triggering code-signature validation of an unintended bundle.2014-09-181.9CVE-2014-4384
APPLE
apple -- iphone_os
Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain privileges and install unverified apps by leveraging /tmp write access.2014-09-181.9CVE-2014-4386
APPLE
apple -- mac_os_x
The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table.2014-09-192.1CVE-2014-4403
apple -- apple_tv
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4420, and CVE-2014-4421.2014-09-181.9CVE-2014-4419
APPLE
APPLE
apple -- apple_tv
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4421.2014-09-181.9CVE-2014-4420
APPLE
APPLE
apple -- apple_tv
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4420.2014-09-181.9CVE-2014-4421
APPLE
APPLE
ibm -- storwize_v7000_unified_software
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.2014-09-152.1CVE-2014-3077
XF
ibm -- filenet_content_foundation
Cross-site scripting (XSS) vulnerability in Content Navigator in Content Engine in IBM FileNet Content Manager 5.2.x before 5.2.0.3-P8CPE-IF003 and Content Foundation 5.2.x before 5.2.0.3-P8CPE-IF003 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2014-09-153.5CVE-2014-4763
XF
schneider-electric -- clearscada
Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2014-09-183.5CVE-2014-5411
yealink -- gigabit_color_ip_phone_sip-t32g
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.2014-09-173.5CVE-2012-1417
XF
BID
OSVDB
EXPLOIT-DB
SECUNIA
MISC
BUGTRAQ
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.



09/18/2014 10:01 AM
Apple Releases Security Updates for iOS, Apple TV, and Xcode
Original release date: September 18, 2014

Apple released security updates for iOS devices, Apple TV, and Xcode to address multiple vulnerabilities, some of which could allow attackers to execute code with system privileges or cause an unexpected application termination.

Updates available include:

  • iOS 8 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later
  • Apple TV 7 for Apple TV 3rd generation and later
  • Xcode 6.0.1 for OS X Mavericks v10.9.4 and later

Users and administrators are encouraged to review Apple security updates HT6441, HT6442, and HT6444 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.



09/16/2014 02:45 PM
Adobe Releases Security Updates for Adobe Reader and Acrobat
Original release date: September 16, 2014

Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. Exploitation of these vulnerabilities could potentially allow an attacker to take control of the affected system.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB14-20 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.



09/15/2014 05:34 AM
SB14-258: Vulnerability Summary for the Week of September 8, 2014
Original release date: September 15, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
address_visualization_with_google_maps_project -- address_visualization_with_google_mapsSQL injection vulnerability in the Address visualization with Google Maps (st_address_map) extension before 0.3.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2014-09-117.5CVE-2014-6239
BID
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555.2014-09-0910.0CVE-2014-0547
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow remote attackers to bypass the Same Origin Policy via unspecified vectors.2014-09-097.5CVE-2014-0548
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555.2014-09-0910.0CVE-2014-0549
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555.2014-09-0910.0CVE-2014-0550
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0552, and CVE-2014-0555.2014-09-0910.0CVE-2014-0551
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and CVE-2014-0555.2014-09-0910.0CVE-2014-0552
adobe -- adobe_airUse-after-free vulnerability in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors.2014-09-0910.0CVE-2014-0553
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to bypass intended access restrictions via unspecified vectors.2014-09-1010.0CVE-2014-0554
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and CVE-2014-0552.2014-09-0910.0CVE-2014-0555
adobe -- adobe_airHeap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0559.2014-09-0910.0CVE-2014-0556
adobe -- adobe_airAdobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors.2014-09-0910.0CVE-2014-0557
adobe -- adobe_airHeap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0556.2014-09-0910.0CVE-2014-0559
apache -- tomcatUnrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.2014-09-117.5CVE-2013-4444
BUGTRAQ
cisco -- telepresence_system_softwareMemory leak in Cisco TelePresence System Edge MXP Series Software F9.3.3 and earlier allows remote attackers to cause a denial of service (management outage) via multiple TELNET connections, aka Bug ID CSCuo63677.2014-09-117.8CVE-2014-3362
cwt_frontend_edit_project -- cwt_frontend_editUnspecified vulnerability in the CWT Frontend Edit (cwt_feedit) extension before 1.2.5 for TYPO3 allows remote authenticated users to execute arbitrary code via unknown vectors.2014-09-117.5CVE-2014-6231
XF
BID
SECUNIA
flat_manager_project -- flat_managerSQL injection vulnerability in the Flat Manager (flatmgr) extension before 2.7.10 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2014-09-117.5CVE-2014-6233
XF
BID
SECUNIA
google -- chromeUse-after-free vulnerability in core/dom/Node.cpp in Blink, as used in Google Chrome before 37.0.2062.120, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of render-tree inconsistencies.2014-09-107.5CVE-2014-3178
CONFIRM
CONFIRM
google -- chromeMultiple unspecified vulnerabilities in Google Chrome before 37.0.2062.120 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.2014-09-107.5CVE-2014-3179
CONFIRM
CONFIRM
CONFIRM
CONFIRM
hp -- network_node_manager_iUnspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-2264.2014-09-1010.0CVE-2014-2624
HP
ibm -- san_volume_controller_softwareIBM Storwize 3500, 3700, 5000, and 7000 devices and SAN Volume Controller 6.x and 7.x before 7.2.0.8 allow remote attackers to reset the administrator superuser password to its default value via a direct request to the administrative IP address.2014-09-117.5CVE-2014-4811
XF
kennziffer -- ke_dompdfUnspecified vulnerability in the ke DomPDF extension before 0.0.5 for TYPO3 allows remote attackers to execute arbitrary code via unknown vectors.2014-09-117.5CVE-2014-6235
XF
BID
lumonet_php_include_project -- lumonet_php_includeUnspecified vulnerability in the LumoNet PHP Include (lumophpinclude) extension before 1.2.1 for TYPO3 allows remote attackers to execute arbitrary scripts via vectors related to extension links.2014-09-117.5CVE-2014-6236
XF
BID
SECUNIA
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-2799
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4059
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4065
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4079
microsoft -- internet_explorerMicrosoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4089, CVE-2014-4091, and CVE-2014-4102.2014-09-099.3CVE-2014-4080
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4081
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-09-099.3CVE-2014-4082
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4083
microsoft -- internet_explorerMicrosoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4093.2014-09-099.3CVE-2014-4084
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4085
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-09-099.3CVE-2014-4086
microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4095, CVE-2014-4096, and CVE-2014-4101.2014-09-099.3CVE-2014-4087
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4088
microsoft -- internet_explorerMicrosoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014-4091, and CVE-2014-4102.2014-09-099.3CVE-2014-4089
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4090
microsoft -- internet_explorerMicrosoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014-4089, and CVE-2014-4102.2014-09-099.3CVE-2014-4091
microsoft -- internet_explorerMicrosoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4098.2014-09-099.3CVE-2014-4092
microsoft -- internet_explorerMicrosoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4084.2014-09-099.3CVE-2014-4093
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4094
microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014-4096, and CVE-2014-4101.2014-09-099.3CVE-2014-4095
microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014-4095, and CVE-2014-4101.2014-09-099.3CVE-2014-4096
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4097
microsoft -- internet_explorerMicrosoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4092.2014-09-099.3CVE-2014-4098
microsoft -- internet_explorerMicrosoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-09-099.3CVE-2014-4099
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4100
microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014-4095, and CVE-2014-4096.2014-09-099.3CVE-2014-4101
microsoft -- internet_explorerMicrosoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014-4089, and CVE-2014-4091.2014-09-099.3CVE-2014-4102
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4103
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4104
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4105
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4106
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4107
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4108
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4110, and CVE-2014-4111.2014-09-099.3CVE-2014-4109
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4111.2014-09-099.3CVE-2014-4110
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4110.2014-09-099.3CVE-2014-4111
phpwiki -- phpwikiThe Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.2014-09-117.5CVE-2014-5519
EXPLOIT-DB
SECUNIA
MLIST
MLIST
FULLDISC
MISC
OSVDB
plogger -- ploggerUnrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/.2014-09-117.5CVE-2014-2223
MISC
EXPLOIT-DB
MLIST
MLIST
MISC
procmail -- procmailHeap-based buffer overflow in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted email header, related to "unbalanced quotes."2014-09-087.5CVE-2014-3618
XF
UBUNTU
BID
MLIST
DEBIAN
sensysnetworks -- trafficdotSensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update.2014-09-057.6CVE-2014-2378
MISC
wt_directory_project -- wt_directorySQL injection vulnerability in the wt_directory extension before 1.4.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2014-09-117.5CVE-2014-6241
XF
BID
SECUNIA
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
1800contacts -- 1800contacts_appThe 1800CONTACTS App (aka com.contacts1800.ecomapp) application 2.7.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5601
MISC
9gag -- 9gag_-_funny_pics_and_videosThe 9GAG - Funny pics and videos (aka com.ninegag.android.app) application 2.4.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5669
MISC
aceviral -- angry_gran_tossThe Angry Gran Toss (aka com.aceviral.angrygrantoss) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5564
MISC
adcolony -- adcolony_libraryThe Adcolony library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5524
CERT-VN
MISC
adidas -- honoluluThe Honolulu (aka adidas.jp.android.running.honolulu) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5532
MISC
adiscon -- loganalyzerMultiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.2014-09-114.3CVE-2014-6070
XF
EXPLOIT-DB
FULLDISC
MISC
adt-taxis -- adt_taxisThe ADT Taxis (aka com.icabbi.adttaxisApp) application 6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5639
MISC
akronymmanager_project -- akronymmanagerCross-site scripting (XSS) vulnerability in the Akronymmanager (aka SB Folderdownload) extension 0.5.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-114.3CVE-2014-6238
XF
BID
al_3azmi -- ce4arab_marketThe ce4arab market (aka com.dreamstep.wce4arabmarket) application 0.12.13093.40460 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5610
MISC
americostech -- selfshot_front_flash_cameraThe Selfshot - Front Flash Camera (aka com.americos.selfshot) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5566
MISC
amiscu -- westmoreland_water_fcuThe Westmoreland Water FCU (aka air.com.creditunionhomebanking.mb115) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5538
CERT-VN
MISC
amiscu -- michael_baker_federal_credit_unionThe Michael Baker FCU (aka air.com.creditunionhomebanking.mb155) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5539
MISC
androkera -- las_vegas_lottery_scratch_offThe Las Vegas Lottery Scratch Off (aka com.androkera.lottery) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5568
MISC
animoca -- star_girlThe Star Girl (aka com.animoca.google.starGirl) application 3.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5569
MISC
animoca -- bunny_runThe Bunny Run (aka com.stargirlgames.google.bunnyrun) application 1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5707
MISC
animoca -- fashion_styleThe Fashion Style (aka com.thirtysixyougames.google.starGirlSingapore) application 3.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5717
MISC
anywherepad -- anywhere_pad-meet,_collaborateThe Anywhere Pad-Meet, Collaborate (aka com.azeus.anywherepad) application 4.0.1031 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5579
MISC
aol -- dailyfinance_-_stocks_&_newsThe DailyFinance - Stocks & News (aka com.aol.mobile.dailyFinance) application 2.0.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5570
MISC
app_maker_ks -- buy_booksThe Buy Books (aka com.wBooksForSale) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5734
MISC
appeak -- pokerThe Appeak Poker (aka com.appeak.poker) application 2.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5571
MISC
appministry -- princess_shoppingThe Princess Shopping (aka air.android.PrincessShopping) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5534
MISC
appsflyer -- appsflyerThe Appsflyer library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5528
MISC
appstros -- appstros_-_free_gift_cards!The Appstros - FREE Gift Cards! (aka com.appstros.main) application 1.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5573
MISC
arris -- touchstone_dg950a_softwareThe Arris Touchstone DG950A cable modem with software 7.10.131 has an SNMP community of public, which allows remote attackers to obtain sensitive password, key, and SSID information via an SNMP request.2014-09-055.0CVE-2014-4863
CERT-VN
MISC
ask.fm -- ask.fm-social_q&a_networkThe Ask.fm - Social Q&A Network (aka com.askfm) application 1.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5574
CERT-VN
MISC
avd-app -- avd_download_videoThe AVD Download Video (aka com.myboyfriendisageek.videocatcher.demo) application 3.3.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5666
MISC
avira -- avira_secure_backupThe Avira Secure Backup (aka com.avira.avirabackup) application 1.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5576
MISC
avolvesoftware -- projectdoxCross-site scripting (XSS) vulnerability in Avolve Software ProjectDox 8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-114.3CVE-2014-5129
XF
BUGTRAQ
avon -- avon_buy&sellThe AVON Buy & Sell (aka com.AVONBeautyntheRep) application 0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5577
MISC
backgroundcheckprotool -- backgroundcheckprotoolThe BackgroundCheckProTool (aka com.BackgroundCheckProTool) application 3.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5580
MISC
band -- band_-group_sharing_&_planningThe BAND -Group sharing & planning (aka com.nhn.android.band) application 3.2.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5668
MISC
bashgaming -- bingo_bash_free_bingo_casinoThe Bingo Bash - Free Bingo Casino (aka air.com.bitrhymes.bingo) application 1.31.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5536
CERT-VN
CERT-VN
MISC
beenverified -- background_check_beenverifiedThe Background Check BeenVerified (aka com.beenverified.android) application 4.01.67 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5584
MISC
biat -- biatnetThe BIATNET (aka com.biatnet.mobile) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5586
MISC
biggame -- brokenscreencrankThe brokenscreencrank (aka com.biggame.brokenscreencrank) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5587
MISC
blackbeltstudio -- most_popular_ringtonesThe Most Popular Ringtones (aka com.bbs.mostpopularringtones) application 32 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5583
MISC
bmfapps -- free_ebooksThe Free eBooks (aka com.bmfapps.freekindlebooks) application 14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5588
MISC
btwgames -- snake_evolutionThe Snake Evolution (aka com.btwgames.snake) application 1.3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5590
MISC
ca_lottery_results_project -- ca_lottery_resultsThe CA Lottery Results (aka com.matcho0.calotto) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5657
MISC
cacheguard -- cacheguardosCross-site request forgery (CSRF) vulnerability in gui/password-wadmin.apl in CacheGuard OS 5.7.7 allows remote attackers to hijack the authentication of arbitrary users.2014-09-106.8CVE-2014-4865
CERT-VN
casinogame -- video_poker_casinoThe Video Poker Casino (aka com.geaxgame.videopoker) application 1.0.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5631
MISC
chewysoftware -- abduction_stacker_freeThe Abduction Stacker Free (aka air.com.chewygames.abductionstacker2) application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5537
MISC
choiceoflove -- free_dating_heart_colThe Free Dating Heart COL (aka com.choiceoflove.dating) application 2.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5592
MISC
christiancafe -- christian_dating_cafeThe Christian Dating Cafe (aka com.christiancafe.mobile.android) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5593
MISC
CERT-VN
cibc -- cibc_mobile_bankingThe CIBC Mobile Banking (aka com.cibc.android.mobi) application 3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5594
MISC
cisco -- cliThe CLI in Cisco IOS XR allows remote authenticated users to obtain sensitive information via unspecified commands, aka Bug IDs CSCuq42336, CSCuq76853, CSCuq76873, and CSCuq45383.2014-09-114.0CVE-2014-3342
cisco -- ios_xrCisco IOS XR 5.1 allows remote attackers to cause a denial of service (DHCPv6 daemon crash) via a malformed DHCPv6 packet, aka Bug ID CSCuo59052.2014-09-104.3CVE-2014-3343
cisco -- integrated_management_controllerThe SSH module in the Integrated Management Controller (IMC) before 2.3.1 in Cisco Unified Computing System on E-Series blade servers allows remote attackers to cause a denial of service (IMC hang) via a crafted SSH packet, aka Bug ID CSCuo69206.2014-09-105.0CVE-2014-3348
cmcm -- cm_backup_-restore,cloud,photoThe CM Backup -Restore,Cloud,Photo (aka com.ijinshan.kbackup) application 1.1.0.135 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5640
MISC
cmcm -- cm_browser_-_fast_&_secureThe CM Browser - Fast & Secure (aka com.ksmobile.cb) application 5.0.50 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5655
MISC
coles_credit_cards -- coles_credit_card_appThe Coles Credit Card App (aka au.com.colesfinancialservices.mobile) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5562
MISC
commerce -- america's_economy_for_phoneThe America's Economy for Phone (aka air.gov.census.mobile.phone.americaseconomy) application 1.5.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5557
MISC
createdineden -- buy_yorkshire_conferenceThe Buy Yorkshire Conference (aka com.gotfocus.buyyorkshire) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5635
MISC
cubettechnologies -- cloud_managerThe Cloud Manager (aka com.ileaf.cloud_manager) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5641
MISC
deskroll -- deskroll_remote_desktopThe DeskRoll Remote Desktop (aka com.deskroll.client1) application 0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5603
MISC
devarai -- word_search_freeThe Word Search Free (aka air.wordSearchFree) application 4.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5561
MISC
differencegames -- hidden_memory_-_aladdin_free!The Hidden Memory - Aladdin FREE! (aka air.com.differencegames.hmaladdinfree) application 1.0.31 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5541
MISC
differencegames -- hidden_object_-_alice_freeThe Hidden Object - Alice Free (aka air.com.differencegames.hovisionsofalicefree) application 1.0.17 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5543
MISC
digimobistudio -- qq_copyThe QQ Copy (aka com.digimobistudio.qqcopy) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5605
MISC
dish -- dish_anywhereThe DISH Anywhere (aka com.sm.SlingGuide.Dish) application 3.5.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5704
MISC
disney -- where's_my_perry?_freeThe Where's My Perry? Free (aka com.disney.WMPLite) application 1.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5606
MISC
disney -- where's_my_water?_freeThe Where's My Water? Free (aka com.disney.WMWLite) application 1.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5607
MISC
djinnworks -- line_runner_(free)The Line Runner (Free) (aka com.djinnworks.linerunnerfree) application 4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5608
MISC
djinnworks -- stickman_ski_racerThe Stickman Ski Racer (aka com.djinnworks.StickmanSkiRacer.free) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5609
MISC
domino_labs -- like4like:get_instagram_likesThe Like4Like: Get Instagram Likes (aka com.bepop.bepop) application 2.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5585
CERT-VN
MISC
dressup -- dress_up!_girl_partyThe Dress Up! Girl Party (aka com.sgn.DressUp.GirlParty) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5697
MISC
ebay-kleinanzeigen -- ebay_kleinanzeigen_for_germanyThe eBay Kleinanzeigen for Germany (aka com.ebay.kleinanzeigen) application 5.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5611
MISC
elokence -- akinator_the_genie_freeThe Akinator the Genie FREE (aka com.digidust.elokence.akinator.freemium) application 2.46 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5604
MISC
CERT-VN
emurasoft -- emftp_professionalEmurasoft EmFTP allows local users to gain privileges via a Trojan horse executable file that is launched during an attempt to read a similarly named file that lacks a filename extension.2014-09-054.4CVE-2014-3910
JVNDB
JVN
MISC
enigmail -- enigmailEnigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network.2014-09-084.3CVE-2014-5369
MLIST
MLIST
CONFIRM
SECUNIA
SECUNIA
SUSE
entertailion -- able_remoteThe Able Remote (aka com.entertailion.android.remote) application 2.3.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5613
MISC
etoolkit -- love_collage_-_photo_editorThe Love Collage - Photo Editor (aka com.etoolkit.lovecollage) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5614
MISC
exsoul-browser -- exsoul_web_browserThe Exsoul Web Browser (aka com.exsoul) application 3.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5617
MISC
falconsc -- wisepointSession fixation vulnerability in Falcon WisePoint 4.1.19.7 and earlier allows remote attackers to hijack web sessions via unspecified vectors.2014-09-056.8CVE-2014-3909
JVNDB
familyconnect_project -- familyconnectThe familyconnect (aka com.comcast.plaxo.familyconnect.app) application 1.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5600
MISC
fiksu -- fiksuThe Fiksu library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5814
MISC
fingersoft -- cartoon_cameraThe Cartoon Camera (aka com.fingersoft.cartooncamera) application 1.2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5618
MISC
flane -- cisco_class_locator_fast_laneThe Cisco Class Locator Fast Lane (aka com.tabletkings.mycompany.fastlane.cisco) application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5710
MISC
flickatrade -- flick_a_tradeThe Flick a Trade (aka air.com.cygnecode.fat) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5540
CERT-VN
MISC
fluik -- office_jerk_freeThe Office Jerk Free (aka com.fluik.OfficeJerkFree) application 1.7.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5620
MISC
fluik -- office_zombieThe Office Zombie (aka com.fluik.OfficeZombieGoogleFree) application 1.3.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5621
MISC
flurry -- flurry-analytics-androidThe Flurry library before 3.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-6024
MISC
MISC
flyfishing-and-flytying -- fly_fishing_&_fly_tyingThe Fly Fishing & Fly Tying (aka air.com.yudu.ReaderAIR3209899) application 3.21.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5556
MISC
fortinet -- fortiosThe FortiManager protocol service in Fortinet FortiOS before 4.3.16 and 5.x before 5.0.8 on FortiGate devices does not prevent use of anonymous ciphersuites, which makes it easier for man-in-the-middle attackers to obtain sensitive information or interfere with communications by modifying the client-server data stream.2014-09-105.4CVE-2014-0351
franklychat -- frankly_chatThe Frankly Chat (aka com.chatfrankly.android) application 3.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5591
CERT-VN
CERT-VN
MISC
freshplanet -- songpopThe SongPop (aka air.com.freshplanet.games.WaM) application 1.21.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5544
MISC
fungames-forfree -- sniper_shooter_free_-_fun_gameThe Sniper Shooter Free - Fun Game (aka com.fungamesforfree.snipershooter.free) application 2.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5624
MISC
gadgettrak -- gadgettrak_mobile_securityThe GadgetTrak Mobile Security (aka com.activetrak.android.app) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5565
MISC
gamegou -- perfect_kickThe Perfect Kick (aka com.gamegou.PerfectKick.google) application 1.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5625
MISC
gameinfo -- best_racing/moto_games_rankingThe Best Racing/moto Games Ranking (aka com.subapp.android.racing) application 2.2.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5708
MISC
gameloft -- gameloft_libraryThe Gameloft library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5529
CERT-VN
MISC
gameloft -- brothers_in_arms_2_free+The Brothers In Arms 2 Free+ (aka com.gameloft.android.ANMP.GloftB2HM) application 1.2.0b for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5626
MISC
gameloft -- ice_age_villageThe Ice Age Village (aka com.gameloft.android.ANMP.GloftIAHM) application 2.8.0m for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5627
MISC
gameloft -- wonder_zoo_-_animal_rescue_!The Wonder Zoo - Animal rescue ! (aka com.gameloft.android.ANMP.GloftZRHM) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5628
MISC
gameresort -- stupid_zombiesThe Stupid Zombies (aka com.gameresort.stupidzombies) application 1.12 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5629
MISC
gcspublishing -- home_repairThe Home Repair (aka com.gcspublishing.houserepairtalk) application 3.7.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5630
MISC
getsetgames -- mega_jumpThe Mega Jump (aka com.getsetgames.megajump) application @7F080002 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5632
MISC
girlgame -- baby_get_up_-_kids_careThe Baby Get Up - Kids Care (aka air.brown.jordansa.getup) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5535
MISC
girlsgames123 -- kiss_kiss_officeThe Kiss Kiss Office (aka com.girlsgames123.kisskissoffice) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5633
MISC
gmarket -- gmarketThe Gmarket (aka com.ebay.kr.gmarket) application 5.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5612
MISC
go-text -- text_me!_free_texting_&_callThe Text Me! Free Texting & Call (aka com.textmeinc.textme) application 2.5.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5714
MISC
goabode -- abodeThe Abode (aka abode.webview) application 1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5531
MISC
google_sitemap_project -- google_sitemapCross-site scripting (XSS) vulnerability in the Google Sitemap (weeaar_googlesitemap) extension 0.4.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-114.3CVE-2014-6240
BID
granita -- cloud_browserThe Cloud Browser (aka com.granitamalta.cloudbrowser) application 2.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5636
MISC
group-office -- groupofficeSQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.2014-09-116.5CVE-2012-4240
XF
BID
MISC
EXPLOIT-DB
OSVDB
BUGTRAQ
hasb_e_haal_project -- hasb_e_haalThe hasb_e_haal (aka com.anawaz.hasb_e_haal) application 1.0.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5567
MISC
home_shopping_apps -- buy_a_giftThe Buy A Gift (aka com.wBuyAGift) application 13529.90084 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5735
MISC
huntington -- huntington_mobileThe Huntington Mobile (aka com.huntington.m) application 2.1.222 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5638
MISC
ibm -- cognos_tm1IBM Cognos TM1 10.2.0.2 before IF1 and 10.2.2.0 before IF1 allows remote attackers to bypass intended access restrictions by visiting the Rights page and then following a generated link.2014-09-055.0CVE-2014-0877
XF
ibm -- rational_license_key_serverThe Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.2014-09-105.0CVE-2014-0909
ibm -- rational_engineering_lifecycle_managerCross-site request forgery (CSRF) vulnerability in IBM Configuration Management Application (aka VVC) in IBM Rational Engineering Lifecycle Manager before 4.0.7 and 5.x before 5.0.1, Rational Software Architect Design Manager before 4.0.7 and 5.x before 5.0.1, and Rational Rhapsody Design Manager before 4.0.7 and 5.x before 5.0.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-09-106.0CVE-2014-3037
ibm -- rational_doors_next_generationIBM Jazz Team Server, as used in Rational Collaborative Lifecycle Management; Rational Quality Manager 3.x before 3.0.1.6 iFix 3, 4.x before 4.0.7, and 5.x before 5.0.1; and other Rational products, does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.2014-09-115.0CVE-2014-3092
XF
ibm -- initiate_master_data_serviceCross-site request forgery (CSRF) vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-09-106.8CVE-2014-4783
XF
ibm -- initiate_master_data_serviceIBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does not properly restrict use of FRAME elements, which allows remote attackers to conduct phishing attacks, and bypass intended access restrictions or obtain sensitive information, via a crafted web site, related to a "frame injection" issue.2014-09-104.3CVE-2014-4784
XF
ibm -- initiate_master_data_serviceCross-site request forgery (CSRF) vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-09-106.0CVE-2014-4785
XF
ibm -- initiate_master_data_serviceIBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does not properly restrict use of FRAME elements, which allows remote authenticated users to conduct phishing attacks, and bypass intended access restrictions or obtain sensitive information, via a crafted web site, related to a "frame injection" issue.2014-09-104.9CVE-2014-4786
XF
ibm -- initiate_master_data_serviceIBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.2014-09-105.0CVE-2014-4788
XF
ibm -- initiate_master_data_serviceSession fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors.2014-09-106.8CVE-2014-4789
XF
ibm -- websphere_portalIBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF28, 8.0.0 through 8.0.0.1 CF13, and 8.5.0 before CF02 allows remote authenticated users to cause a denial of service (disk consumption) by uploading large files.2014-09-114.0CVE-2014-4792
XF
AIXAPAR
ibm -- urbancode_deployIBM UrbanCode Deploy 6.1.0.2 before IF1 allows remote authenticated users to read keystore secret keys via a direct request to a UI page.2014-09-104.0CVE-2014-6074
ilearnwith -- animals!_kids_preschool_gamesThe Animals! Kids Preschool Games (aka air.com.tribalnova.Animals) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5550
MISC
ilearnwith -- alphabet_&_spelling_kids_gamesThe Alphabet & Spelling Kids Games (aka air.com.tribalnova.ilearnwith.ipad.App1En) application 1.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5551
MISC
ilearnwith -- numbers_&_addition!_math_gamesThe Numbers & Addition! Math games (aka air.com.tribalnova.ilearnwith.ipad.App2En) application 1.4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5552
MISC
ilearnwith -- kids_preschool_learning_gamesThe Kids Preschool Learning Games (aka air.com.tribalnova.ilearnwith.ipad.App3En) application 1.3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5553
MISC
ilearnwith -- fun_preschool_creativity_gameThe Fun Preschool Creativity Game (aka air.com.tribalnova.ilearnwith.ipad.MotherAppEn) application 1.6.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5554
MISC
ilearnwith -- counting_&_addition_kids_gamesThe Counting & Addition Kids Games (aka air.com.tribalnova.ilearnwith.ipad.PokoAddEn) application 1.8.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5555
MISC
ilove -- ilove_-_free_dating_&_chat_appThe iLove - Free Dating & Chat App (aka com.jestadigital.android.ilove) application 1.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5649
MISC
imperva -- securesphere_web_application_firewallCross-site scripting (XSS) vulnerability in the Violations Table in the management GUI in the MX Management Server in Imperva SecureSphere Web Application Firewall (WAF) 9.0 allows remote attackers to inject arbitrary web script or HTML via the username field.2014-09-114.3CVE-2011-4887
XF
BID
MISC
SECUNIA
OSVDB
impi -- impi_mobile_securityThe IMPI Mobile Security (aka com.impi) application 2.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5642
MISC
inmobi -- inmobiThe Inmobi library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5526
MISC
instachat -- instachat_-instagram_messengerThe Instachat -Instagram Messenger (aka com.instachat.android) application 1.6.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5643
MISC
intellectualflame -- brightest_led_flashlightThe Brightest LED Flashlight (aka com.intellectualflame.ledflashlight.washer) application 1.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5644
MISC
intsig -- camscanner_-phone_pdf_creatorThe CamScanner -Phone PDF Creator (aka com.intsig.camscanner) application 3.4.0.20140624 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5645
MISC
iobit -- amc_security-_antivirus,_cleanThe AMC Security- Antivirus, Clean (aka com.iobit.mobilecare) application 4.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5646
MISC
islonline -- isl_light_remote_desktopThe ISL Light Remote Desktop (aka com.islonline.isllight.mobile.android) application 2.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5647
MISC
jaumo -- chat,_flirt_&_dating_heart_jaumoThe Chat, Flirt & Dating Heart JAUMO (aka com.jaumo) application 2.7.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5648
MISC
jazzpodiumdetor -- jazzpodium_de_torThe Jazzpodium De Tor (aka com.appmakr.app273713) application 206160 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5572
MISC
jiuzhangtech -- traffic_jam_freeThe Traffic Jam Free (aka com.jiuzhangtech.rushhour) application 1.7.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5650
MISC
jiuzhangtech -- word_searchThe Word Search (aka com.virtuesoft.wordsearch) application 2.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5731
MISC
jogoeusei -- eu_seiThe Eu Sei (aka com.guilardi.eusei) application eusei_android_5.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5637
MISC
josiane_sauveterre -- goldfish_careThe Kids GoldFish Care (aka air.josiane.sauveterre.kidsgoldfishcare) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5559
MISC
kaspersky -- kaspersky_internet_securityThe Kaspersky Internet Security (aka com.kms.free) application 11.4.4.232 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5654
MISC
kicksend -- kicksend:_share_&_print_photosThe Kicksend: Share & Print Photos (aka com.kicksend.android) application 3.3.2.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5651
MISC
kicksend -- kicksend_photo_printsThe Kicksend Photo Prints (aka com.kicksend.android.print) application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5652
MISC
kiragames -- unblock_me_freeThe Unblock Me FREE (aka com.kiragames.unblockmefree) application 1.4.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5653
MISC
ldap_project -- ldapUnspecified vulnerability in the LDAP (eu_ldap) extension before 2.8.18 for TYPO3 allows remote authenticated users to obtain sensitive information via unknown vectors.2014-09-114.0CVE-2014-6232
XF
BID
SECUNIA
lgr_mobile_apps -- show_do_milhao_2014The Show do Milhao 2014 (aka br.com.lgrmobile.sdm) application 1.4.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5563
MISC
litter_penguin -- web_browser_&_explorerThe Web Browser & Explorer (aka com.explore.web.browser) application 2.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5616
MISC
little_games -- africa_memoryThe Africa Memory (aka air.com.klon4enabor4e.AfricaMemory) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5546
MISC
madipass -- madipass_martiniqueThe Madipass Martinique (aka com.goodbarber.madipassmartinique) application 1.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5634
MISC
magzter -- magzter_-magazine_&_book_storeThe Magzter -Magazine & Book Store (aka com.dci.magzter) application 3.31 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5602
MISC
makingmoneywithandroid -- ingress_intel_helperThe Ingress Intel Helper (aka com.bb.ingressintel) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5582
MISC
mdickie -- hard_timeThe Hard Time (Prison Sim) (aka air.HardTime) application 1.111 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5558
MISC
mdickie -- popsceneThe Popscene (Music Industry Sim) (aka air.Popscene) application 1.04 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5560
MISC
mercadolibre -- mercadolibreThe MercadoLibre (aka com.mercadolibre) application 3.8.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5658
MISC
metago -- astro_file_manager_with_cloudThe ASTRO File Manager with Cloud (aka com.metago.astro) application ASTRO-4.4.592 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5659
MISC
microsoft -- lync_serverThe Response Group Service in Microsoft Lync Server 2010 and 2013 and the Core Components in Lync Server 2013 do not properly handle exceptions, which allows remote attackers to cause a denial of service (daemon hang) via a crafted call, aka "Lync Denial of Service Vulnerability."2014-09-095.0CVE-2014-4068
CONFIRM
microsoft -- lync_serverCross-site scripting (XSS) vulnerability in the Web Components Server in Microsoft Lync Server 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Lync XSS Information Disclosure Vulnerability."2014-09-094.3CVE-2014-4070
microsoft -- lync_serverThe Server in Microsoft Lync Server 2013 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon hang) via a crafted request, aka "Lync Denial of Service Vulnerability."2014-09-095.0CVE-2014-4071
CONFIRM
microsoft -- .net_frameworkMicrosoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly use a hash table for request data, which allows remote attackers to cause a denial of service (resource consumption and ASP.NET performance degradation) via crafted requests, aka ".NET Framework Denial of Service Vulnerability."2014-09-095.0CVE-2014-4072
CONFIRM
microsoft -- windows_8The Task Scheduler in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via an application that schedules a crafted task, aka "Task Scheduler Vulnerability."2014-09-096.8CVE-2014-4074
microsoft -- microsoft_tech_companionThe Microsoft Tech Companion (aka com.technet) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5711
MISC
miniclip -- anger_of_stick_3The Anger of Stick 3 (aka com.miniclip.angerofstick3) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5661
MISC
miniclip -- rail_rushThe Rail Rush (aka com.miniclip.railrush) application 1.9.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5662
MISC
miniupnp_project -- miniupnpdThe getHTTPResponse function in miniwget.c in MiniUPnP 1.9 allows remote attackers to cause a denial of service (crash) via crafted headers that trigger an out-of-bounds read.2014-09-115.0CVE-2014-3985
CONFIRM
CONFIRM
BID
MLIST
MLIST
mirror_photo_&_shape_project -- mirror_photo_&_shapeThe mirror photo shape (aka com.baiwang.styleinstamirror) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5581
MISC
mobbtech -- follow_mania_for_instagramThe Follow Mania for Instagram (aka com.followmania) application 1.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5622
MISC
mobilityware -- freecell_solitaireThe FreeCell Solitaire (aka com.mobilityware.freecell) application 2.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5663
MISC
mobilityware -- spider_solitaireThe Spider Solitaire (aka com.mobilityware.spider) application 3.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5664
MISC
mymembersfirst -- tn_members_1st_fcu-rdcThe TN Members 1st FCU-RDC (aka com.metova.cuae.tmffcu) application 1.0.28 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5660
MISC
netmaster -- cbw700_softwareThe Netmaster CBW700N cable modem with software 81.447.392110.729.024 has an SNMP community of public, which allows remote attackers to obtain sensitive credential, key, and SSID information via an SNMP request.2014-09-055.0CVE-2014-4862
CERT-VN
MISC
ninjakiwi -- sas:_zombie_assault_3The SAS: Zombie Assault 3 (aka com.ninjakiwi.sas3zombieassault) application 2.56 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5670
MISC
nodejs -- nodejsNode.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.2014-09-055.0CVE-2014-5256
CONFIRM
noodlecake -- super_stickman_golfThe Super Stickman Golf (aka com.noodlecake.ssg) application 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5671
MISC
nowbrowser -- now_browser_(material)The Now Browser (Material) (aka com.browser.nowbasic) 2.8.1 application Material for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5589
MISC
nq -- vault-hide_sms,_pics_&_videosThe Vault-Hide SMS, Pics & Videos (aka com.netqin.ps) application 5.0.14.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5667
MISC
nq -- nq_mobile_security_&_antivirusThe NQ Mobile Security & Antivirus (aka com.nqmobile.antivirus20) application 7.2.16.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5672
MISC
nq -- easy_finder_&_anti-theftThe Easy Finder & Anti-Theft (aka com.nqmobile.easyfinder) application 2.0.10.08 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5673
MISC
ntop -- ntopngCross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.2014-09-084.3CVE-2014-5464
XF
BID
BUGTRAQ
BUGTRAQ
EXPLOIT-DB
SECUNIA
FULLDISC
FULLDISC
MISC
OSVDB
open_graph_protocol_project -- open_graph_protocolCross-site scripting (XSS) vulnerability in the Open Graph protocol (jh_opengraphprotocol) extension before 1.0.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-114.3CVE-2014-6234
XF
BID
SECUNIA
ovirt -- ovirtSession fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.2014-09-086.8CVE-2014-0152
ovirt -- ovirtThe REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page.2014-09-084.3CVE-2014-0153
penguinchefshop_project -- penguinchefshopThe penguinchefshop (aka com.freegames.penguinchefshop) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5623
MISC
perblue -- parallel_kingdom_mmoThe Parallel Kingdom MMO (aka com.silvermoon.client) application @7F070019 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5699
MISC
permadi -- mahjong_galaxy_space_liteThe Mahjong Galaxy Space Lite (aka air.com.permadi.mahjongIris) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5547
MISC
picsart -- picsart_-_photo_studioThe PicsArt - Photo Studio (aka com.picsart.studio) application 4.5.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5674
MISC
pinssible -- phonegram_-_instagram_downloadThe Phonegram - Instagram Download (aka com.pinssible.padgram) application 1.9.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5675
MISC
playrix -- townshipThe Township (aka com.playrix.township) application 1.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5676
MISC
playscape -- mominis_libraryThe MoMinis library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5525
CERT-VN
MISC
pocketmags -- gambling_insider_magazineThe Gambling Insider Magazine (aka com.triactivemedia.gambling) application @7F0801AA for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5724
MISC
pointinside -- point_inside_shopping_&_travelThe Point Inside Shopping & Travel (aka com.pointinside.android.app) application 3.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5677
MISC
pop-hub -- iq_testThe IQ Test (aka com.pophub.androidiqtest.free) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5678
MISC
popuapp -- popu_2:_get_likes_on_instagramThe PopU 2: Get Likes on Instagram (aka com.popuapp.popu) application 1.7.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5679
MISC
retale -- retale_-_weekly_ads_&_dealsThe Retale - Weekly Ads & Deals (aka com.retale.android) application 2.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5682
MISC
rubycell -- piano_teacherThe Piano Teacher (aka com.rubycell.pianisthd) application 20140730 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5683
MISC
runkeeper -- runkeeper_-_gps_track_run_walkThe RunKeeper - GPS Track Run Walk (aka com.fitnesskeeper.runkeeper.pro) application 4.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5619
CERT-VN
MISC
runtastic -- runtastic_running_&_fitnessThe Runtastic Running & Fitness (aka com.runtastic.android) application 5.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5684
MISC
runtastic -- runtastic_heart_rateThe Runtastic Heart Rate (aka com.runtastic.android.heartrate.lite) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5685
MISC
runtastic -- runtastic_meThe Runtastic Me (aka com.runtastic.android.me.lite) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5686
MISC
runtastic -- runtastic_mountain_bikeThe Runtastic Mountain Bike (aka com.runtastic.android.mountainbike.lite) application 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5687
MISC
runtastic -- runtastic_pedometerThe Runtastic Pedometer (aka com.runtastic.android.pedometer.lite) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5688
MISC
runtastic -- runtastic_road_bikeThe Runtastic Road Bike (aka com.runtastic.android.roadbike.lite) application 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5689
MISC
runtastic -- runtastic_timerThe Runtastic Timer (aka com.runtastic.android.timer) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5690
MISC
rvappstudios -- best_phone_securityThe Best Phone Security (aka com.rvappstudios.phonesecurity) application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5691
MISC
safeway -- safewayThe Safeway (aka com.safeway.client.android.safeway) application 4.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5692
MISC
sanriodigital -- hello_kitty_cafeThe Hello Kitty Cafe (aka com.sd.google.helloKittyCafe) application 1.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5695
MISC
sap -- netweaverBuffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors.2014-09-056.5CVE-2014-6252
CONFIRM
SECUNIA
CONFIRM
MISC
scoutmob -- scoutmob_local_deals_&_eventThe Scoutmob local deals & events (aka com.scoutmob.ile) application 3.0.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5694
MISC
sega -- sonic_4_episode_ii_liteThe Sonic 4 Episode II LITE (aka com.sega.sonic4ep2lite) application 2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5696
MISC
sega -- sonic_cd_liteThe Sonic CD Lite (aka com.soa.sega.soniccdlite) application 1.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5705
MISC
sensysnetworks -- trafficdotSensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not use encryption, which allows remote attackers to interfere with traffic control by replaying transmissions on a wireless network.2014-09-055.4CVE-2014-2379
MISC
seven_bulls -- christmas_wordsThe Christmas Words (aka air.com.sevenBulls.summerWords) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5548
MISC
sheado -- furdiburbThe Furdiburb (aka com.sheado.lite.pet) application 1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5698
MISC
sixdead -- brain_lab_-_brain_age_games_iqThe Brain lab - brain age games IQ (aka com.sixdead.brainlab) application 2.37 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5700
MISC
skout -- skout:_chats._friends._fun.The Skout: Chats. Friends. Fun. (aka com.skout.android) application 4.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5701
MISC
skyboardapps -- penguin_runThe Penguin Run (aka com.skyboard.google.penguinRun) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5702
MISC
slingo -- slingo_lottery_challengeThe Slingo Lottery Challenge (aka com.slingo.slingolotterychallenge) application 1.0.34 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5703
MISC
snapone -- snap_secureThe Snap Secure (aka com.exclaim.snapsecure.app) application 9.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5615
MISC
somcloud -- somnote_-_journal/memoThe SomNote - Journal/Memo (aka com.somcloud.somnote) application 2.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5706
MISC
sos -- jobschedulerCross-site scripting (XSS) vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote attackers to inject arbitrary web script or HTML via the hash property (location.hash).2014-09-114.3CVE-2014-5391
CONFIRM
XF
BID
BUGTRAQ
MISC
MISC
sos -- jobschedulerDirectory traversal vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote authenticated users with the info permission to read arbitrary files in the webroot via unspecified vectors.2014-09-114.0CVE-2014-5393
CONFIRM
XF
BUGTRAQ
MISC
MISC
squid-cache -- squidHttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."2014-09-115.0CVE-2014-3609
CONFIRM
DEBIAN
SECUNIA
SECUNIA
ssfcu -- security_service_mybranch_appThe Security Service myBranch App (aka com.tyfone.ssfcu.mbanking) application 7.88.00.145 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5726
MISC
starluxstudios -- puppy_slotsThe Puppy Slots (aka air.com.starluxstudios.PuppySlotsFree) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5549
MISC
sunstormgames -- donut_makerThe Donut Maker (aka com.sunstorm.android.donut) application 1.27 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5709
MISC
swiftkey -- swiftkey_keyboard_+_emojiThe SwiftKey Keyboard + Emoji (aka com.touchtype.swiftkey) application 5.0.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5722
MISC
synology -- diskstation_managerCross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.2014-09-124.3CVE-2012-1556
XF
BID
SECUNIA
OSVDB
BUGTRAQ
tamalaki -- hidden_object_mysteryThe Hidden Object Mystery (aka air.com.differencegames.hodetectivemysteryfree) application 1.0.65 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5542
CERT-VN
MISC
tapatalk -- tapatalkThe Tapatalk (aka com.quoord.tapatalkpro.activity) application 4.8.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5680
MISC
tapjoy -- tapjoy_libraryThe Tapjoy library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5527
CERT-VN
MISC
tektite -- turbo_river_racing_freeThe Turbo River Racing Free (aka com.tektite.androidgames.trrfree) application 1.07 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5712
MISC
telly -- telly-watch_the_good_stuffThe Telly - Watch the good stuff (aka com.telly) application 2.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5713
MISC
thegameboss -- street_racingThe Street Racing (aka com.tgb.streetracing.lite5pp) application 4.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5715
MISC
theonegames -- gunship_battle:helicopter_3dThe GUNSHIP BATTLE : Helicopter 3D (aka com.theonegames.gunshipbattle) application 1.1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5716
MISC
threadflip -- threadflip_:_buy,_sell_fashionThe Threadflip : Buy, Sell Fashion (aka com.threadflip.android) application 1.1.11 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5718
MISC
timuz -- bike_racing_2014The BIKE RACING 2014 (aka com.timuzsolutions.bikeracing2014) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5719
MISC
topfreegames -- bike_race_free_-_top_free_gameThe Bike Race Free - Top Free Game (aka com.topfreegames.bikeracefreeworld) application 4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5720
MISC
torrentflux -- torrentfluxTorrentFlux 2.4 allows remote authenticated users to obtain other users' cookies via the cid parameter in an editCookies action to profile.php.2014-09-054.0CVE-2014-6028
MISC
SECTRACK
MLIST
MLIST
torrentflux -- torrentfluxTorrentFlux 2.4 allows remote authenticated users to delete or modify other users' cookies via the cid parameter in an editCookies action to profile.php.2014-09-054.9CVE-2014-6029
MISC
SECTRACK
MLIST
MLIST
torrnad0 -- sprint_jumpThe Sprint jump (aka air.com.ilaz.appilas) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5545
MISC
touchnote -- touchnote_postcardsThe Touchnote Postcards (aka com.touchnote.android) application 4.2.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5721
MISC
traauctions -- tra_auctions_for_buyersThe TRA Auctions for Buyers (aka com.manheim.tra) application 2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5656
MISC
trading_212 -- trading_212_forexThe Trading 212 FOREX (aka com.avuscapital.trading212) application 2.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5578
MISC
trapster -- trapsterThe Trapster (aka com.trapster.android) application 4.3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5723
MISC
tribulant -- tibulant_slideshow_galleryUnrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.2014-09-116.5CVE-2014-5460
CONFIRM
XF
BUGTRAQ
EXPLOIT-DB
MISC
SECUNIA
MISC
truecaller -- truecaller-caller_id_&_blockThe Truecaller - Caller ID & Block (aka com.truecaller) application 4.32 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5725
MISC
utorrent -- utorrent_remoteThe uTorrent Remote (aka com.utorrent.web) application 1.0.20110929 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5727
MISC
vevo -- vevo-watch_hd_music_videosThe Vevo - Watch HD Music Videos (aka com.vevo) application 2.0.27 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5728
MISC
viddy -- viddyThe Viddy (aka com.viddy.Viddy) application 1.3.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5729
MISC
videotelecom -- russkoe_tb_hdThe russkoe TB HD (aka com.videotelecom.russkoeHD) application 3.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5730
MISC
wamba -- wamba-meet_women_and_menThe Wamba - meet women and men (aka com.wamba.client) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5732
MISC
water_wish -- shop_loveThe Shop Love (aka com.waterwish.shoplove) application 1.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5733
MISC
withbuddies -- slots_vacation_-_free_slots_The Slots Vacation - FREE Slots (aka com.scopely.slotsvacation) application 1.47.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-095.4CVE-2014-5693
MISC
withhive -- actionpuzzlefamily_for_kakaoThe actionpuzzlefamily for Kakao (aka com.com2us.actionpuzzlefamily.kakao.freefull.google.global.android.common) application 1.4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5595
MISC
withhive -- homerun_battle_2The Homerun Battle 2 (aka com.com2us.homerunbattle2.normal.freefull.google.global.android.common) application 1.2.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5596
MISC
withhive -- 9_innings:_2014_pro_baseballThe 9 Innings: 2014 Pro Baseball (aka com.com2us.nipb2013.normal.freefull.google.global.android.common) application 4.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5597
MISC
withhive -- puzzle_familyThe Puzzle Family (aka com.com2us.puzzlefamily.up.freefull.google.global.android.common) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5598
MISC
withhive -- tiny_farmThe Tiny Farm (aka com.com2us.tinyfarm.normal.freefull.google.global.android.common) application 2.02.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5599
MISC
xda-developers -- xda-developersThe XDA-Developers (aka com.quoord.tapatalkxda.activity) application 3.9.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5681
MISC
xoops -- xoopsMultiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/
xoopsimagemanager/xoopsimagebrowser.php.
2014-09-114.3CVE-2012-0984
MISC
XF
BID
EXPLOIT-DB
SECUNIA
MISC
OSVDB
OSVDB
BUGTRAQ
zohocorp -- manageengine_eventlog_analyzerZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do.2014-09-116.5CVE-2014-6043
FULLDISC
MISC
BID
EXPLOIT-DB
FULLDISC
MISC
zopim -- zopim_libraryThe Zopim library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-085.4CVE-2014-5530
CERT-VN
MISC
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
cisco -- unified_communications_managerCross-site scripting (XSS) vulnerability in the web framework in Cisco Unified Communications Manager (UCM) 9.1(2.10000.28) allows remote authenticated users to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuq68443.2014-09-113.5CVE-2014-3363
eucalyptus -- eucalyptusThe Storage Controller (SC) component in Eucalyptus 3.4.2 through 4.0.x before 4.0.1, when Dell Equallogic SAN is used, logs the CHAP user credentials, which allows local users to obtain sensitive information by reading the logs.2014-09-051.9CVE-2014-5036
SECUNIA
SECUNIA
ibm -- rational_license_key_serverThe Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 allows remote authenticated users to bypass authorization checks and visit unspecified URLs with license-usage data via a DESCRIBE clause in a SPARQL query.2014-09-102.1CVE-2014-3079
ibm -- rational_license_key_serverThe Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 allows remote authenticated users to hijack sessions via unspecified vectors.2014-09-103.5CVE-2014-4756
ibm -- websphere_portalCross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF13 and 8.5.0 before CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2014-09-113.5CVE-2014-4762
XF
AIXAPAR
ibm -- initiate_master_data_serviceCross-site scripting (XSS) vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2014-09-103.5CVE-2014-4787
XF
netgear -- prosafe_firmwareThe NETGEAR ProSafe Plus Configuration Utility creates configuration backup files containing cleartext passwords, which might allow remote attackers to obtain sensitive information by reading a file.2014-09-103.3CVE-2014-4864
news_pack_project -- news_packCross-site scripting (XSS) vulnerability in the News Pack extension 0.1.0 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2014-09-113.5CVE-2014-6237
XF
BID
sixapart -- movabletypeCross-site scripting (XSS) vulnerability in the management page in Six Apart Movable Type before 5.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2014-09-103.5CVE-2014-5313
JVNDB
CONFIRM
spiceworks -- spiceworksCross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.2014-09-113.5CVE-2014-3740
EXPLOIT-DB
SECUNIA
FULLDISC
MISC
MISC
MISC
OSVDB
srvx -- srvxMultiple integer overflows in the HelpServ module (mod-helpserv.c) in srvx 1.3.1 allow remote authenticated IRCops or HelpServ bot managers to cause a denial of service (infinite loop) via a large value in the EmptyInterval parameter or certain other interval configurations.2014-09-053.5CVE-2014-5508
BID
MLIST
MLIST
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.



09/11/2014 11:31 AM
Cisco Integrated Management Controller Vulnerability
Original release date: September 11, 2014

Cisco has released an advisory to address a vulnerability in the Cisco Integrated Management Controller (Cisco IMC) SSH module of the Cisco Unified Computing System E-Series Blade servers that could allow an unauthenticated, remote attacker to cause a denial of service condition. Migration to release 2.3.1 is available for Cisco IMC Software versions 1.0.1, 1.0.2, 2.1.0, and 2.2.0.

Users and administrators are encouraged to review the Cisco Advisory and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.





We Specialize In...

Wireless Networking - WiFi

Wireless Network Setup, Access Points, Routers, Antennas, and other devices.

Network Wiring

Coax (RG-6/59), Ethernet Wiring (CAT 3/5/5E/6), Phone Systems, and Structured Wiring

Data Recovery

PC Desktop Harddrives, External Storage, Network Attached Storage(NAS), RAID Array, and Server Hard drives.

Hardware Service

Data Storage Systems, Hard Drive Related, Hardware Repair, Laptop Repair, PC Repiar, Scanner Repair, Server Repair, System Diagnostics, Tape Drives, and other External Media.

Software Services

Accounting Systems, Adware/Spyware Removal, Antivirus Software and Virus Removal, Back Up Software, Communications Software, Contact Management, Database Software, Documentation Creating and Publishing, and Email Software.

Operating Systems

Linux, MS-DOS, Windows NT Workstation and Server, Windows 95, Windows 98, Windows ME, Windows 2000, Windows XP Home and Windows XP Professional.

Printer Repair and Service

All inkjet and laserjet printers, Dot matrix printers, Network Printers, HP, Lexmark, Canon, Brother, Oki-Data, OTC, and many other Printer Manufacturers.

Your One-Stop Solution For..

Virus Scanning and Virus Removal, PC Help, Computer Maintenance, Business Computer/Laptop Repair, Hardware Configuration, Software Configuration, AdWare and Spyware Removal and Immunization, Door-to-Door Pc Repair and Computer Services, Networking, Cabling, Wired and Wireless Network Assistance, Network Diagnostics Service, Components, Modems, Printers, Scanners, Digital Cameras, Data Storage, Data Recovery, Backup and Fail-Safe Disaster Recovery, Cable Modem Internet and DSL Internet Connections and Maintenance, Computer Troubleshooting, Hard Drive backups, Technical Support, End user training, Software Training, Any on-site Computer Need, Computer Tune Ups, Operating System (OS) Installations, On Site Computer Traingin, Laptop/Notebook Service and Repair, Free Upgrading Advice and Computer Upgrades at unbeatable rates.

Legal InformationTechAnywhereComputer Repair MemphisComputer Repair Industry

© 2004-2014 memphiscomputerrepair.com
All rights reserved.