| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2004-2779 |
399 |
|
|
2018-02-20 |
2018-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS). |
|
2 |
CVE-2009-4267 |
116 |
|
|
2018-02-19 |
2018-03-18 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
The console in Apache jUDDI 3.0.0 does not properly escape line feeds, which allows remote authenticated users to spoof log entries via the numRows parameter. |
|
3 |
CVE-2009-5144 |
254 |
|
|
2018-02-03 |
2018-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
mod-gnutls does not validate client certificates when "GnuTLSClientVerify require" is set in a directory context, which allows remote attackers to spoof clients via a crafted certificate. |
|
4 |
CVE-2010-0109 |
119 |
|
DoS Overflow |
2018-02-19 |
2018-03-18 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
DBManager in Symantec Altiris Deployment Solution 6.9.x before DS 6.9 SP4 allows remote attackers to cause a denial of service via a crafted request. |
|
5 |
CVE-2011-3477 |
20 |
|
DoS |
2018-02-19 |
2018-03-21 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
GEAR Software CD DVD Filter driver (aka GEARAspiWDM.sys), as used in Symantec Backup Exec System Recovery 8.5 and BESR 2010, Symantec System Recovery 2011, Norton 360, and Norton Ghost, allows local users to cause a denial of service (system crash) via unspecified vectors. |
|
6 |
CVE-2011-4068 |
287 |
|
Bypass |
2018-02-01 |
2018-02-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The check_password function in html/admin/login.php in PacketFence before 3.0.2 allows remote attackers to bypass authentication via an empty password. |
|
7 |
CVE-2011-4069 |
90 |
|
Bypass |
2018-02-01 |
2018-02-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
html/admin/login.php in PacketFence before 3.0.2 allows remote attackers to conduct LDAP injection attacks and consequently bypass authentication via a crafted username. |
|
8 |
CVE-2011-4889 |
254 |
|
|
2018-02-08 |
2018-03-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The javax.naming.directory.AttributeInUseException class in the Virtual Member Manager in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8.0 before 8.0.0.2 does not properly update passwords on a configuration using Tivoli Directory Server, which might allow remote attackers to gain access to an application by leveraging knowledge of an old password. IBM X-Force ID: 72581. |
|
9 |
CVE-2011-4973 |
287 |
|
Bypass |
2018-02-15 |
2018-03-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Authentication bypass vulnerability in mod_nss 1.0.8 allows remote attackers to assume the identity of a valid user by using their certificate and entering 'password' as the password. |
|
10 |
CVE-2012-0771 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2018-02-19 |
2018-03-18 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Adobe Shockwave Player before 11.6.4.634 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0759. |
|
11 |
CVE-2012-0941 |
79 |
1
|
XSS |
2018-02-08 |
2018-02-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules, or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list. |
|
12 |
CVE-2012-2166 |
798 |
|
|
2018-02-08 |
2018-03-10 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unknown vectors. IBM X-Force ID: 75041. |
|
13 |
CVE-2012-3331 |
200 |
|
+Info |
2018-02-08 |
2018-02-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Sametime allows remote attackers to obtain sensitive information from the Sametime Log database via a direct request to STLOG.NSF. IBM X-Force ID: 78048. |
|
14 |
CVE-2012-3536 |
79 |
|
XSS |
2018-02-27 |
2018-03-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Two XSS vulnerabilities were fixed in message list and view in the Hupa Webmail application from the Apache James project. An attacker could send a carefully crafted email to a user of Hupa which would trigger a XSS when the email was opened or when a list of messages were viewed. This issue was addressed in Hupa 0.0.3. |
|
15 |
CVE-2012-5359 |
20 |
|
Exec Code |
2018-02-08 |
2018-02-23 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted ASF file. |
|
16 |
CVE-2012-5360 |
20 |
|
Exec Code |
2018-02-08 |
2018-02-23 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted QT file. |
|
17 |
CVE-2012-6346 |
79 |
|
XSS |
2018-02-09 |
2018-02-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in FortiWeb before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) redir or (2) mkey parameter to waf/pcre_expression/validate. |
|
18 |
CVE-2012-6347 |
79 |
|
XSS |
2018-02-09 |
2018-02-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Java number format exception handling in FortiGate FortiDB before 4.4.2 allow remote attackers to inject arbitrary web script or HTML via the conversationContext parameter to (1) admin/auditTrail.jsf, (2) mapolicymgmt/targetsMonitorView.jsf, (3) vascan/globalsummary.jsf, (4) vaerrorlog/vaErrorLog.jsf, (5) database/listTargetGroups.jsf, (6) sysconfig/listSystemInfo.jsf, (7) vascan/list.jsf, (8) network/router.jsf, (9) mapolicymgmt/editPolicyProfile.jsf, or (10) mapolicymgmt/maPolicyMasterList.jsf. |
|
19 |
CVE-2012-6709 |
295 |
|
|
2018-02-23 |
2018-03-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate Validation. |
|
20 |
CVE-2013-0267 |
264 |
|
DoS +Priv XSS |
2018-02-21 |
2019-07-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation. |
|
21 |
CVE-2013-2830 |
416 |
|
Exec Code |
2018-02-08 |
2020-03-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in SumatraPDF Reader 2.x before 2.2.1 allows remote attackers to execute arbitrary code via a crafted PDF file. |
|
22 |
CVE-2013-3552 |
119 |
|
Exec Code Overflow |
2018-02-08 |
2018-02-24 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Nitro Pro 7.5.0.29 and earlier and Nitro Reader 2.5.0.45 and earlier allow remote attackers to execute arbitrary code via a crafted PDF file. |
|
23 |
CVE-2013-3553 |
119 |
|
Exec Code Overflow |
2018-02-08 |
2018-02-24 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Nitro Pro 7.5.0.22 and earlier and Nitro Reader 2.5.0.36 and earlier allow remote attackers to execute arbitrary code via a crafted PDF file. |
|
24 |
CVE-2013-4317 |
200 |
|
+Info |
2018-02-06 |
2018-02-26 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own. |
|
25 |
CVE-2013-4891 |
79 |
|
XSS Bypass |
2018-02-21 |
2018-03-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag. |
|
26 |
CVE-2013-7435 |
200 |
|
+Info |
2018-02-01 |
2018-02-16 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml. |
|
27 |
CVE-2014-0013 |
79 |
|
XSS |
2018-02-15 |
2018-08-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application that contains templates whose context is set to a user-supplied primitive value and also contain the `{{this}}` special Handlebars variable. |
|
28 |
CVE-2014-0014 |
79 |
|
XSS |
2018-02-15 |
2018-10-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application using the "{{group}}" Helper and a crafted payload. |
|
29 |
CVE-2014-1834 |
77 |
|
|
2018-02-02 |
2018-02-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password. |
|
30 |
CVE-2014-1835 |
255 |
|
|
2018-02-02 |
2018-02-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to steal the login credentials by watching the process table. |
|
31 |
CVE-2014-3005 |
611 |
|
Exec Code |
2018-02-01 |
2018-02-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. |
|
32 |
CVE-2014-3205 |
798 |
|
|
2018-02-23 |
2018-03-18 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
backupmgt/pre_connect_check.php in Seagate BlackArmor NAS contains a hard-coded password of '!~@##$$%FREDESWWSED' for a backdoor user. |
|
33 |
CVE-2014-3206 |
20 |
|
Exec Code |
2018-02-23 |
2018-03-19 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php. |
|
34 |
CVE-2014-3219 |
59 |
|
|
2018-02-09 |
2019-09-24 |
4.3 |
None |
Local |
Low |
??? |
Partial |
Partial |
Partial |
|
fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2) /tmp/.pac-cache.$USER, (3) /tmp/.yum-cache.$USER, or (4) /tmp/.rpm-cache.$USER. |
|
35 |
CVE-2014-3244 |
611 |
|
Exec Code |
2018-02-01 |
2018-02-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. |
|
36 |
CVE-2014-3519 |
284 |
|
Bypass |
2018-02-01 |
2018-02-27 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH capability to bypass an intended container protection mechanism and access arbitrary files on a filesystem via vectors related to use of the file_handle structure. |
|
37 |
CVE-2014-3752 |
264 |
|
Exec Code |
2018-02-01 |
2018-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The MiniIcpt.sys driver in G Data TotalProtection 2014 24.0.2.1 and earlier allows local users with administrator rights to execute arbitrary code with SYSTEM privileges via a crafted 0x83170180 call. |
|
38 |
CVE-2014-3972 |
22 |
|
Dir. Trav. |
2018-02-19 |
2018-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in Apexis APM-J601-WS cameras with firmware before 17.35.2.49 allows remote attackers to read arbitrary files via unspecified vectors. |
|
39 |
CVE-2014-4066 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2018-02-08 |
2018-03-08 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014-2790, CVE-2014-2802, and CVE-2014-2806. |
|
40 |
CVE-2014-4112 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2018-02-08 |
2018-03-08 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0304. |
|
41 |
CVE-2014-4145 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2018-02-08 |
2018-03-08 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-8985. |
|
42 |
CVE-2014-5279 |
284 |
|
Exec Code +Priv |
2018-02-06 |
2019-04-29 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The Docker daemon managed by boot2docker 1.2 and earlier improperly enables unauthenticated TCP connections by default, which makes it easier for remote attackers to gain privileges or execute arbitrary code from children containers. |
|
43 |
CVE-2014-5280 |
352 |
|
CSRF |
2018-02-06 |
2020-01-30 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication. |
|
44 |
CVE-2014-5282 |
20 |
|
|
2018-02-06 |
2019-04-29 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'. |
|
45 |
CVE-2014-8171 |
399 |
|
DoS |
2018-02-09 |
2019-04-22 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup. |
|
46 |
CVE-2014-8985 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2018-02-08 |
2018-02-23 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-4145. |
|
47 |
CVE-2014-9502 |
352 |
|
CSRF |
2018-02-01 |
2018-02-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks. |
|
48 |
CVE-2014-9503 |
264 |
|
|
2018-02-01 |
2018-02-27 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
|
The Discussions sub module in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allows remote authenticated users with "access content" permissions to modify arbitrary nodes by leveraging improper access checks on unspecified ajax callbacks. |
|
49 |
CVE-2014-9504 |
284 |
|
|
2018-02-01 |
2018-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The OG Subgroups module, when used with the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal, allows remote attackers to access child groups via vectors related to membership inheritance. |
|
50 |
CVE-2014-10070 |
264 |
|
|
2018-02-27 |
2018-03-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled. |
