CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2011-2902 20 2018-01-30 2018-02-23
6.4
None Remote Low Not required None Partial Partial
zxpdf in xpdf before 3.02-19 as packaged in Debian unstable and 3.02-12+squeeze1 as packaged in Debian squeeze deletes temporary files insecurely, which allows remote attackers to delete arbitrary files via a crafted .pdf.gz file name.
2 CVE-2012-0699 352 1 CSRF 2018-01-11 2018-01-31
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an add action to prayers.php.
3 CVE-2012-3353 200 +Info 2018-01-09 2018-02-05
5.0
None Remote Low Not required Partial None None
The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should upgrade to version 2.1.6 of the JCR ContentLoader
4 CVE-2012-6667 79 1 XSS 2018-01-11 2018-01-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in vbshout.php in DragonByte Technologies vBShout module for vBulletin allows remote attackers to inject arbitrary web script or HTML via the shout parameter in a shout action.
5 CVE-2012-6668 79 XSS 2018-01-11 2018-01-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Shout Reports in the DragonByte Technologies vBShout module before 6.0.6 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the (1) reportreason parameter in actions/doreport.php or (2) modnotes parameter in actions/updatereport.php.
6 CVE-2012-6670 79 XSS 2018-01-11 2018-01-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the DragonByte Technologies vbActivity module before 3.0.1 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the reason parameter in (1) actions/nominatemedal.php or (2) actions/requestmedal.php.
7 CVE-2012-6671 79 XSS 2018-01-11 2018-01-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in actions/main.php in the DragonByte Technologies Forumon RPG module before 1.0.8 for vBulletin when creating a new monster, allow remote attackers to inject arbitrary web script or HTML via the (1) monster[title] or (2) monster[description] parameters.
8 CVE-2012-6682 79 XSS 2018-01-11 2018-01-31
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in downloads/actions/editdownload.php in the DragonByte Technologies vBDownloads module 1.3.2 and earlier for vBulletin allows remote attackers to inject arbitrary web script or HTML via the mirrors[] parameter.
9 CVE-2012-6708 79 XSS 2018-01-18 2021-03-25
4.3
None Remote Medium Not required None Partial None
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
10 CVE-2013-4364 59 2018-01-08 2018-02-01
7.2
None Local Low Not required Complete Complete Complete
(1) oo-analytics-export and (2) oo-analytics-import in the openshift-origin-broker-util package in Red Hat OpenShift Enterprise 1 and 2 allow local users to have unspecified impact via a symlink attack on an unspecified file in /tmp.
11 CVE-2014-0087 264 +Priv Bypass 2018-01-11 2018-12-18
6.5
None Remote Low ??? Partial Partial Partial
The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the rbac_user_edit action.
12 CVE-2014-1631 275 2018-01-31 2019-04-26
5.0
None Remote Low Not required None Partial None
Eventum before 2.3.5 allows remote attackers to reinstall the application via direct request to /setup/index.php.
13 CVE-2014-1632 275 Exec Code 2018-01-31 2019-04-26
9.3
None Remote Medium Not required Complete Complete Complete
htdocs/setup/index.php in Eventum before 2.3.5 allows remote attackers to inject and execute arbitrary PHP code via the hostname parameter.
14 CVE-2014-1858 20 2018-01-08 2018-01-30
2.1
None Local Low Not required None Partial None
__init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file.
15 CVE-2014-1859 59 2018-01-08 2019-04-22
2.1
None Local Low Not required None Partial None
(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file.
16 CVE-2014-2017 93 Http R.Spl. 2018-01-18 2018-02-06
5.8
None Remote Medium Not required Partial Partial None
CRLF injection vulnerability in OXID eShop Professional Edition before 4.7.11 and 4.8.x before 4.8.4, Enterprise Edition before 5.0.11 and 5.1.x before 5.1.4, and Community Edition before 4.7.11 and 4.8.x before 4.8.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
17 CVE-2014-2071 264 +Priv 2018-01-08 2018-01-31
4.9
None Local Network Medium ??? Partial Partial Partial
Aruba Networks ClearPass Policy Manager 6.1.x, 6.2.x before 6.2.5.61640 and 6.3.x before 6.3.0.61712, when configured to use tunneled and non-tunneled EAP methods in a single policy construct, allows remote authenticated users to gain privileges by advertising independent inner and outer identities within a tunneled EAP method.
18 CVE-2014-3471 416 DoS 2018-01-12 2018-01-31
2.1
None Local Low Not required None None Partial
Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices.
19 CVE-2014-3607 295 2018-01-08 2018-01-31
4.3
None Remote Medium Not required Partial None None
DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
20 CVE-2014-4705 119 DoS Overflow 2018-01-30 2018-02-26
7.8
None Remote Low Not required None None Complete
Multiple heap-based buffer overflows in the eSap software platform in Huawei Campus S9300, S7700, S9700, S5300, S5700, S6300, and S6700 series switches; AR150, AR160, AR200, AR1200, AR2200, AR3200, AR530, NetEngine16EX, SRG1300, SRG2300, and SRG3300 series routers; and WLAN AC6005, AC6605, and ACU2 access controllers allow remote attackers to cause a denial of service (device restart) via a crafted length field in a packet.
21 CVE-2014-4919 264 2018-01-19 2021-01-19
5.8
None Remote Medium Not required None Partial Partial
OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, Enterprise Edition before 5.0.13 and 5.1.x before 5.1.7, and Community Edition before 4.7.13 and 4.8.x before 4.8.7 allow remote attackers to assign users to arbitrary dynamical user groups.
22 CVE-2014-4972 434 Exec Code 2018-01-08 2018-02-01
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in the Gravity Upload Ajax plugin 1.1 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file under wp-content/uploads/gravity_forms.
23 CVE-2014-4991 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
(1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
24 CVE-2014-4992 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/cap-strap/helpers.rb in the cap-strap gem 0.1.5 for Ruby places credentials on the useradd command line, which allows local users to obtain sensitive information by listing the process.
25 CVE-2014-4993 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
(1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and (2) lib/backup/cli/utility.rb in the backup_checksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by listing the process.
26 CVE-2014-4994 20 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.
27 CVE-2014-4995 200 +Info 2018-01-10 2018-01-30
1.9
None Local Medium Not required Partial None None
Race condition in lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to obtain sensitive information by reading the MySQL root password from a temporary file before it is removed.
28 CVE-2014-4996 59 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.#{target_host}.
29 CVE-2014-4997 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
30 CVE-2014-4998 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the mysql user password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
31 CVE-2014-4999 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.
32 CVE-2014-5000 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
33 CVE-2014-5001 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/ksymfony1.rb in the kcapifony gem 2.1.6 for Ruby places database user passwords on the (1) mysqldump, (2) pg_dump, (3) mysql, and (4) psql command lines, which allows local users to obtain sensitive information by listing the processes.
34 CVE-2014-5002 255 +Info 2018-01-10 2019-05-06
2.1
None Local Low Not required Partial None None
The lynx gem before 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
35 CVE-2014-5003 20 +Priv 2018-01-10 2018-01-30
2.1
None Local Low Not required None Partial None
chef/travis-cookbooks/ci_environment/perlbrew/recipes/default.rb in the ciborg gem 3.0.0 for Ruby allows local users to write to arbitrary files and gain privileges via a symlink attack on /tmp/perlbrew-installer.
36 CVE-2014-5004 200 +Info 2018-01-10 2018-01-30
2.1
None Local Low Not required Partial None None
lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database password on the mysql command line, which allows local users to obtain sensitive information by listing the process.
37 CVE-2014-5068 22 Dir. Trav. 2018-01-11 2021-09-13
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the web application in Symmetricom s350i 2.70.15 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash) or (2) ..\ (dot dot forward slash) before a file name.
38 CVE-2014-5069 79 XSS 2018-01-08 2021-09-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Symmetricom s350i 2.70.15 allows remote attackers to inject arbitrary web script or HTML via vectors involving system logs.
39 CVE-2014-5070 264 +Priv 2018-01-11 2021-09-13
6.5
None Remote Low ??? Partial Partial Partial
Symmetricom s350i 2.70.15 allows remote authenticated users to gain privileges via vectors related to pushing unauthenticated users to the login page.
40 CVE-2014-5071 89 Exec Code Sql 2018-01-08 2021-09-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the checkPassword function in Symmetricom s350i 2.70.15 allows remote attackers to execute arbitrary SQL commands via vectors involving a username.
41 CVE-2014-5334 254 +Priv 2018-01-08 2018-01-29
10.0
None Remote Low Not required Complete Complete Complete
FreeNAS before 9.3-M3 has a blank admin password, which allows remote attackers to gain root privileges by leveraging a WebGui login.
42 CVE-2014-5394 200 +Info 2018-01-08 2018-01-29
4.3
None Remote Medium Not required Partial None None
Multiple Huawei Campus switches allow remote attackers to enumerate usernames via vectors involving use of SSH by the maintenance terminal.
43 CVE-2014-5509 59 2018-01-08 2018-02-02
3.6
None Local Low Not required None Partial Partial
clipedit in the Clipboard module for Perl allows local users to delete arbitrary files via a symlink attack on /tmp/clipedit$$.
44 CVE-2014-6027 79 XSS 2018-01-16 2018-02-05
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.4 allow (1) remote attackers to inject arbitrary web script or HTML by leveraging failure to encode file contents when downloading a torrent file or (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a link to torrent details.
45 CVE-2014-6071 79 XSS 2018-01-16 2018-11-30
4.3
None Remote Medium Not required None Partial None
jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.
46 CVE-2014-6435 287 DoS 2018-01-12 2018-01-31
5.0
None Remote Low Not required None None Partial
cgi-bin/AZ_Retrain.cgi in Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices does not check for authentication, which allows remote attackers to cause a denial of service (WAN connectivity reset) via a direct request.
47 CVE-2014-6436 287 Exec Code Bypass 2018-01-12 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.
48 CVE-2014-6437 200 +Info 2018-01-12 2018-10-09
5.0
None Remote Low Not required Partial None None
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices allow remote attackers to obtain sensitive device configuration information via vectors involving the ROM file.
49 CVE-2014-7221 119 DoS Overflow 2018-01-08 2018-01-30
4.0
None Remote Low ??? None None Partial
TeamSpeak Client 3.0.14 and earlier allows remote authenticated users to cause a denial of service (buffer overflow and application crash) by connecting to a channel with a different client instance, and placing crafted data in the Chat/Server tab containing [img]//http:// substrings.
50 CVE-2014-7222 20 DoS Overflow 2018-01-08 2018-01-30
4.0
None Remote Low ??? None None Partial
Buffer overflow in TeamSpeak Client 3.0.14 and earlier allows remote authenticated users to cause a denial of service (application crash) by connecting to a channel with a different client instance, and placing crafted data in the Chat/Server tab with two \\ (backslash) characters, a digit, a \ (backslash) character, and "z" in a series of nested img BBCODE tags.
Total number of vulnerabilities : 1278   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.