CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2013-5705 Bypass 2014-04-15 2021-02-12
5.0
None Remote Low Not required None Partial None
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
552 CVE-2013-5704 Bypass 2014-04-15 2022-04-14
5.0
None Remote Low Not required None Partial None
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."
553 CVE-2013-5680 119 1 DoS Exec Code Overflow 2014-04-06 2017-11-08
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in hfaxd in HylaFAX+ 5.2.4 through 5.5.3, when using LDAP authentication, might allow remote attackers to cause a denial of service (child hang) or execute arbitrary code via a long USER command.
554 CVE-2013-5660 119 Exec Code Overflow 2014-04-25 2014-04-25
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Power Software WinArchiver 3.2 allows remote attackers to execute arbitrary code via a crafted .zip file.
555 CVE-2013-5640 89 1 Exec Code Sql 2014-04-01 2016-12-31
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php, or (5) thread_id parameter to posts/add.php. NOTE: this issue was SPLIT due to differences in researchers and disclosure dates. CVE-2013-7349 already covers the news_id parameter to news/send.php, user_email parameter to users/register.php, and thread_id to posts/edit.php vectors.
556 CVE-2013-5459 2014-04-21 2017-08-29
5.5
None Remote Low ??? None Partial Partial
Unspecified vulnerability in IBM Rational Software Architect (RSA) Design Manager and Rational Rhapsody Design Manager 3.x through 3.0.1 and 4.x before 4.0.6 allows remote authenticated users to modify data by leveraging improper parameter checking.
557 CVE-2013-5365 119 Exec Code Overflow 2014-04-02 2014-04-05
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in Autodesk SketchBook for Enterprise 2014, Pro, and Express before 6.25, and Copic Edition before 2.0.2 allows remote attackers to execute arbitrary code via RLE-compressed channel data in a PSD file.
558 CVE-2013-4795 79 XSS 2014-04-11 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Submitters list in Review Board 1.6.x before 1.6.18 and 1.7.x before 1.7.12 allows remote attackers to inject arbitrary web script or HTML via a user full name.
559 CVE-2013-4768 20 DoS 2014-04-16 2014-04-16
5.0
None Remote Low Not required None None Partial
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).
560 CVE-2013-4726 352 CSRF 2014-04-25 2014-04-25
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions, allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
561 CVE-2013-4723 20 2014-04-25 2014-04-25
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the l parameter to track.aspx.
562 CVE-2013-4722 79 XSS 2014-04-25 2014-04-25
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Admin/login/default.asp in DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) url, (3) qstr parameter.
563 CVE-2013-4694 119 1 DoS Exec Code Overflow 2014-04-16 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in gen_jumpex.dll in Winamp before 5.64 Build 3418 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a package with a long Skin directory name. NOTE: a second buffer overflow involving a long GUI Search field to ml_local.dll was also reported. However, since it is only exploitable by the user of the application, this issue would not cross privilege boundaries unless Winamp is running under a highly restricted environment such as a kiosk.
564 CVE-2013-4565 119 DoS Exec Code Overflow 2014-04-25 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the __OLEdecode function in ppthtml 0.5.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted .ppt file.
565 CVE-2013-4472 59 2014-04-22 2014-04-23
3.3
None Local Medium Not required None Partial Partial
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.
566 CVE-2013-4336 79 XSS 2014-04-27 2014-04-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the admin page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag name.
567 CVE-2013-4290 119 Overflow 2014-04-18 2020-09-09
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote attackers to have unspecified impact via unknown vectors to (1) lib/openjp3d/opj_jp3d_compress.c, (2) bin/jp3d/convert.c, or (3) lib/openjp3d/event.c.
568 CVE-2013-4289 189 Overflow 2014-04-18 2020-09-09
10.0
None Remote Low Not required Complete Complete Complete
Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1.5.2 allow remote attackers to have unspecified impact and vectors, which trigger a heap-based buffer overflow.
569 CVE-2013-4285 255 +Info 2014-04-28 2014-04-29
2.1
None Local Low Not required Partial None None
A certain Gentoo patch for the PAM S/Key module does not properly clear credentials from memory, which allows local users to obtain sensitive information by reading system memory.
570 CVE-2013-4279 200 +Info 2014-04-18 2014-04-21
5.0
None Remote Low Not required Partial None None
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.
571 CVE-2013-4240 352 CSRF 2014-04-02 2020-02-03
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add new testimonials via the hms-testimonials-addnew page, (2) add new groups via the hms-testimonials-addnewgroup page, (3) change default settings via the hms-testimonials-settings page, (4) change advanced settings via the hms-testimonials-settings-advanced page, (5) change custom fields settings via the hms-testimonials-settings-fields page, or (6) change template settings via the hms-testimonials-templates-new page to wp-admin/admin.php.
572 CVE-2013-4116 59 2014-04-22 2020-10-14
3.3
None Local Medium Not required None Partial Partial
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
573 CVE-2013-3930 119 Exec Code Overflow 2014-04-04 2014-08-11
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Core FTP before 2.2 build 1785 allows remote FTP servers to execute arbitrary code via a crafted directory name in a CWD command reply.
574 CVE-2013-3588 20 DoS 2014-04-02 2014-04-02
7.8
None Remote Low Not required None None Complete
The web management interface on Zyxel P660 devices allows remote attackers to cause a denial of service (reboot) via a flood of TCP SYN packets.
575 CVE-2013-3484 79 XSS 2014-04-02 2014-04-03
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) _loginUserName parameter to application/login/login.html, (2) my_account_login parameter to c/portal_public/login, or (3) email parameter to forgotPassword.
576 CVE-2013-3252 352 CSRF 2014-04-10 2014-04-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the options admin page in the WP-PostViews plugin before 1.63 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.
577 CVE-2013-3251 352 CSRF 2014-04-10 2014-04-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the qTranslate plugin 2.5.34 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.
578 CVE-2013-3213 89 Exec Code Sql 2014-04-02 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php.
579 CVE-2013-3069 79 XSS 2014-04-25 2014-04-25
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in NETGEAR WNDR4700 with firmware 1.0.0.34 allow remote authenticated users to inject arbitrary web script or HTML via the (1) UserName or (2) Password to the NAS User Setup page, (3) deviceName to USB_advanced.htm, or (4) Network Key to the Wireless Setup page.
580 CVE-2013-2945 89 Exec Code Sql CSRF 2014-04-02 2017-08-29
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.
581 CVE-2013-2828 20 DoS 2014-04-12 2014-04-14
4.7
None Local Medium Not required None None Complete
The DNP Master Driver in the OSIsoft PI Interface before 3.1.2.54 for DNP3 allows physically proximate attackers to cause a denial of service (interface shutdown) via crafted input over a serial line.
582 CVE-2013-2809 20 DoS 2014-04-12 2014-04-14
7.1
None Remote Medium Not required None None Complete
The DNP Master Driver in the OSIsoft PI Interface before 3.1.2.54 for DNP3 allows remote attackers to cause a denial of service (interface shutdown) via a crafted TCP packet.
583 CVE-2013-2708 352 CSRF 2014-04-11 2014-04-14
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Content Slide plugin 1.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.
584 CVE-2013-2706 352 CSRF 2014-04-11 2014-04-14
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Stream Video Player plugin 1.4.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.
585 CVE-2013-2699 352 CSRF 2014-04-10 2021-09-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for WordPress allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin via unspecified vectors.
586 CVE-2013-2693 352 CSRF 2014-04-10 2014-04-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Options in the WP-Print plugin before 2.52 for WordPress allows remote attackers to hijack the authentication of administrators for requests that manipulate plugin settings via unspecified vectors.
587 CVE-2013-2287 79 XSS 2014-04-04 2014-04-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter.
588 CVE-2013-2278 DoS Exec Code 2014-04-01 2014-04-01
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in War FTP Daemon (warftpd) 1.82, when running as a Windows service, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to log messages and the "internal log handler to the Windows Event log."
589 CVE-2013-2187 79 XSS 2014-04-22 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.
590 CVE-2013-2143 20 1 +Priv 2014-04-17 2021-07-16
6.5
None Remote Low ??? Partial Partial Partial
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
591 CVE-2013-2105 59 2014-04-22 2017-08-29
3.3
None Local Medium Not required None Partial Partial
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.
592 CVE-2013-2033 79 XSS 2014-04-10 2018-12-06
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web script or HTML via unspecified vectors.
593 CVE-2013-2025 79 XSS 2014-04-25 2014-04-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Ushahidi Platform 2.5.x through 2.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
594 CVE-2013-1946 20 DoS 2014-04-06 2020-02-26
4.3
None Remote Medium Not required None None Partial
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
595 CVE-2013-1869 20 XSS Http R.Spl. 2014-04-01 2022-02-03
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 5.6 allows remote attackers to inject arbitrary HTTP headers, and conduct HTTP response splitting attacks and cross-site scripting (XSS) attacks, via the return_url parameter.
596 CVE-2013-1807 264 +Info 2014-04-30 2014-05-01
5.0
None Remote Low Not required Partial None None
PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/.
597 CVE-2013-1806 22 Dir. Trav. 2014-04-30 2014-05-01
6.5
None Remote Low ??? Partial Partial Partial
Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php.
598 CVE-2013-1804 79 XSS 2014-04-29 2014-08-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php.
599 CVE-2013-1770 79 XSS 2014-04-02 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in views_view.php in Ganglia Web 3.5.7 allows remote attackers to inject arbitrary web script or HTML via the view_name parameter.
600 CVE-2013-1764 264 2014-04-16 2014-04-17
2.1
None Local Low Not required None Partial None
The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method.
Total number of vulnerabilities : 675   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.