CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2018

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2011-3178 94 Exec Code 2018-03-20 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode.
2 CVE-2014-0486 20 DoS 2018-03-27 2018-04-19
5.0
None Remote Low Not required None None Partial
Knot DNS before 1.5.2 allows remote attackers to cause a denial of service (application crash) via a crafted DNS message.
3 CVE-2014-1215 119 Overflow +Priv 2018-03-20 2018-10-09
4.6
None Local Low Not required Partial Partial Partial
Multiple buffer overflows in Core FTP Server before 1.2 build 508 allow local users to gain privileges via vectors related to reading data from config.dat and Windows Registry.
4 CVE-2014-1457 352 Bypass CSRF 2018-03-20 2018-04-17
6.8
None Remote Medium Not required Partial Partial Partial
Open Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name.
5 CVE-2014-1665 79 XSS 2018-03-20 2018-04-13
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
6 CVE-2014-2031 125 DoS 2018-03-20 2018-04-18
4.3
None Remote Medium Not required None None Partial
Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging permission to perform recursive queries against Deadwood, related to a logic error.
7 CVE-2014-2032 20 DoS 2018-03-20 2018-04-18
4.3
None Remote Medium Not required None None Partial
Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging permission to perform recursive queries against Deadwood, related to missing input validation.
8 CVE-2014-2048 284 2018-03-26 2018-06-13
7.5
None Remote Low Not required Partial Partial Partial
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.
9 CVE-2014-2274 352 XSS CSRF 2018-03-19 2018-04-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Subscribe To Comments Reloaded plugin before 140219 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via a request to the subscribe-to-comments-reloaded/options/index.php page to wp-admin/admin.php.
10 CVE-2014-2293 94 Exec Code 2018-03-26 2018-04-24
7.5
None Remote Low Not required Partial Partial Partial
Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.
11 CVE-2014-2297 79 XSS 2018-03-19 2018-10-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin 4.29.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to ls/htmlchat.php or (2) bgcolor parameter to ls/index.php. NOTE: vector 1 may overlap CVE-2014-1906.4.
12 CVE-2014-2312 59 2018-03-26 2019-11-20
6.6
None Local Low Not required None Complete Complete
The main function in android_main.cpp in thermald allows local users to write to arbitrary files via a symlink attack on /tmp/thermald.pid.
13 CVE-2014-2550 352 CSRF 2018-03-19 2018-04-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Disable Comments plugin before 1.0.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that enable comments via a request to the disable_comments_settings page to wp-admin/options-general.php.
14 CVE-2014-2592 434 Exec Code 2018-03-09 2018-03-27
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in Aruba Web Management portal allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
15 CVE-2014-2652 89 Exec Code Sql 2018-03-19 2018-04-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
16 CVE-2014-2674 22 Dir. Trav. 2018-03-19 2018-04-18
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the Ajax Pagination (twitter Style) plugin 1.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the loop parameter in an ajax_navigation action to wp-admin/admin-ajax.php.
17 CVE-2014-2675 352 CSRF 2018-03-19 2018-04-18
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in wp-admin/options-general.php.
18 CVE-2014-2884 200 Bypass +Info 2018-03-19 2018-04-20
2.1
None Local Low Not required Partial None None
The ProcessVolumeDeviceControlIrp function in Ntdriver.c in TrueCrypt 7.1a allows local users to bypass access restrictions and obtain sensitive information about arbitrary files via a (1) TC_IOCTL_OPEN_TEST or (2) TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG IOCTL call.
19 CVE-2014-2885 200 DoS Overflow +Info 2018-03-19 2018-04-20
3.6
None Local Low Not required Partial None Partial
Multiple integer overflows in TrueCrypt 7.1a allow local users to (1) obtain sensitive information via vectors involving a crafted item->OriginalLength value in the MainThreadProc function in EncryptedIoQueue.c or (2) cause a denial of service (memory consumption) via vectors involving large StartingOffset and Length values in the ProcessVolumeDeviceControlIrp function in Ntdriver.c.
20 CVE-2014-3626 22 Dir. Trav. 2018-03-19 2018-04-18
5.0
None Remote Low Not required Partial None None
The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the following: normalized the URI, checked the normalized URI did not step outside the appropriate root directory (e.g. the web application root), decoded the URI and checked that this did not introduce additional /../ (and similar) sequences. A bug was introduced where the Grails Resource Plugin before 1.2.13 returned the decoded version of the URI rather than the normalized version of the URI after the directory traversal check. This exposed a double decoding vulnerability. To address this issue, the Grails Resource Plugin now repeatedly decodes the URI up to three times or until decoding no longer changes the URI. If the decode limit of 3 is exceeded the URI is rejected. A side-effect of this is that the Grails Resource Plugin is unable to serve a resource that includes a '%' character in the full path to the resource. Not all environments are vulnerable because of the differences in URL resolving in different servlet containers. Applications deployed to Tomcat 8 and Jetty 9 were found not not be vulnerable, however applications deployed to JBoss EAP 6.3 / JBoss AS 7.4 and JBoss AS 7.1 were found to be vulnerable (other JBoss versions weren't tested). In certain cases JBoss returns JBoss specific vfs protocol urls from URL resolution methods (ClassLoader.getResources). The JBoss vfs URL protocol supports resolving any file on the filesystem. This made the directory traversal possible. There may be other containers, in addition to JBoss, on which this vulnerability is exposed.
21 CVE-2014-3990 611 Exec Code 2018-03-20 2019-04-25
7.5
None Remote Low Not required Partial Partial Partial
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request.
22 CVE-2014-4024 200 +Info 2018-03-19 2019-06-06
4.3
None Remote Medium Not required Partial None None
SSL virtual servers in F5 BIG-IP systems 10.x before 10.2.4 HF9, 11.x before 11.2.1 HF12, 11.3.0 before HF10, 11.4.0 before HF8, 11.4.1 before HF5, 11.5.0 before HF5, and 11.5.1 before HF5, when used with third-party Secure Sockets Layer (SSL) accelerator cards, might allow remote attackers to have unspecified impact via a timing side-channel attack.
23 CVE-2014-4612 79 XSS 2018-03-16 2018-04-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the keywords manager (keywordmgr.php) in Coppermine Photo Gallery before 1.5.27 and 1.6.x before 1.6.01 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
24 CVE-2014-4613 352 1 CSRF 2018-03-16 2018-04-09
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
25 CVE-2014-4861 255 2018-03-09 2018-03-29
7.5
None Remote Low Not required Partial Partial Partial
The Remote Desktop Launcher in Thycotic Secret Server before 8.6.000010 does not properly cleanup a temporary file that contains an encrypted password once a session has ended.
26 CVE-2014-4912 434 2018-03-22 2018-04-18
7.5
None Remote Low Not required Partial Partial Partial
An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.
27 CVE-2014-4928 89 Exec Code Sql 2018-03-20 2020-06-03
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter.
28 CVE-2014-4959 89 Exec Code Sql 2018-03-27 2018-04-23
7.5
None Remote Low Not required Partial Partial Partial
**DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the SQLi Api in Android allows remote attackers to execute arbitrary SQL commands via the delete method.
29 CVE-2014-5028 200 Bypass +Info 2018-03-29 2018-04-24
4.0
None Remote Low ??? Partial None None
The Original File and Patched File resources in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allow remote authenticated users to bypass intended access restrictions and obtain sensitive information from repository files by leveraging knowledge of database ids.
30 CVE-2014-5044 190 DoS Exec Code Overflow 2018-03-07 2018-03-27
7.5
None Remote Low Not required Partial Partial Partial
Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.
31 CVE-2014-5130 200 +Info 2018-03-27 2019-03-11
4.0
None Remote Low ??? Partial None None
Avolve Software ProjectDox 8.1 allows remote authenticated users to obtain sensitive information from other users via vectors involving a direct access token.
32 CVE-2014-5131 200 +Info 2018-03-27 2019-03-11
4.0
None Remote Low ??? Partial None None
Avolve Software ProjectDox 8.1 makes it easier for remote authenticated users to obtain sensitive information by leveraging ciphertext reuse.
33 CVE-2014-5132 200 +Info 2018-03-27 2019-03-11
4.0
None Remote Low ??? Partial None None
Avolve Software ProjectDox 8.1 allows remote attackers to enumerate users via vectors related to email addresses.
34 CVE-2014-5170 20 Exec Code 2018-03-29 2018-04-27
7.5
None Remote Low Not required Partial Partial Partial
The Storage API module 7.x before 7.x-1.6 for Drupal might allow remote attackers to execute arbitrary code by leveraging failure to update .htaccess file contents after SA-CORE-2013-003.
35 CVE-2014-5443 264 +Priv 2018-03-19 2018-04-20
4.6
None Local Low Not required Partial Partial Partial
Seafile Server before 3.1.2 and Server Professional Edition before 3.1.0 allow local users to gain privileges via vectors related to ccnet handling user accounts.
36 CVE-2014-5450 200 +Info 2018-03-19 2018-04-20
2.1
None Local Low Not required Partial None None
Zarafa Collaboration Platform 4.1 uses world-readable permissions for /etc/zarafa/license, which allows local users to obtain sensitive information by reading license files.
37 CVE-2014-6604 79 XSS 2018-03-29 2018-04-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in class-s2-list-table.php in the Subscribe2 plugin before 10.16 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ip parameter.
38 CVE-2014-6617 798 2018-03-09 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 contains a hardcoded password for the root account, which allows remote attackers to obtain administrative access via a TELNET session.
39 CVE-2014-7271 306 2018-03-08 2018-03-27
4.6
None Local Low Not required Partial Partial Partial
Simple Desktop Display Manager (SDDM) before 0.10.0 allows local users to log in as user "sddm" without authentication.
40 CVE-2014-7272 264 +Priv 2018-03-08 2018-03-27
7.2
None Local Low Not required Complete Complete Complete
Simple Desktop Display Manager (SDDM) before 0.10.0 allows local users to gain root privileges because code running as root performs write operations within a user home directory, and this user may have created links in advance (exploitation requires the user to win a race condition in the ~/.Xauthority chown case, but not other cases).
41 CVE-2014-8129 787 DoS 2018-03-12 2018-04-06
6.8
None Remote Medium Not required Partial Partial Partial
LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c.
42 CVE-2014-8130 369 DoS 2018-03-12 2018-04-05
4.3
None Remote Medium Not required None None Partial
The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.
43 CVE-2014-8780 79 XSS 2018-03-07 2019-04-25
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Jease 2.11 allows remote authenticated users to inject arbitrary web script or HTML via a content section note.
44 CVE-2015-0796 59 DoS 2018-03-02 2019-10-09
4.6
None Local Low Not required Partial Partial Partial
In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on the source service.
45 CVE-2015-2000 118 Exec Code 2018-03-29 2018-04-23
7.5
None Remote Low Not required Partial Partial Partial
The Jumio SDK before 1.5.0 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
46 CVE-2015-2001 118 Exec Code 2018-03-29 2018-04-23
7.5
None Remote Low Not required Partial Partial Partial
The MetaIO SDK before 6.0.2.1 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
47 CVE-2015-2002 118 Exec Code 2018-03-29 2018-04-23
7.5
None Remote Low Not required Partial Partial Partial
The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
48 CVE-2015-2003 118 Exec Code 2018-03-29 2018-04-23
7.5
None Remote Low Not required Partial Partial Partial
The PJSIP PJSUA2 SDK before SVN Changeset 51322 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
49 CVE-2015-2004 118 Exec Code 2018-03-29 2018-04-23
7.5
None Remote Low Not required Partial Partial Partial
The GraceNote GNSDK SDK before SVN Changeset 1.1.7 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
50 CVE-2015-2009 352 XSS CSRF 2018-03-29 2018-04-23
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi service in IBM QRadar SIEM 7.1 before MR2 Patch 11 Interim Fix 02 and 7.2.x before 7.2.5 Patch 4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences via vectors related to webmin. IBM X-Force ID: 103921.
Total number of vulnerabilities : 1340   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.