CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2014 (CVSS score >= 4)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2014-0387 2014-01-15 2022-05-13
7.6
None Remote High Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
152 CVE-2014-0386 2014-01-15 2019-12-17
4.0
None Remote Low ??? None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
153 CVE-2014-0385 2014-01-15 2022-05-13
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 7u45, when installing on OS X, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install.
154 CVE-2014-0382 2014-01-15 2022-05-13
4.3
None Remote Medium Not required None None Partial
Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect availability via unknown vectors related to JavaFX.
155 CVE-2014-0380 2014-01-15 2014-02-07
4.3
None Remote Medium Not required None Partial None
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to MultiChannel Framework (MCF).
156 CVE-2014-0379 1 2014-01-15 2017-11-08
4.3
None Remote Medium Not required None Partial None
Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, and 12.2.2 allows remote attackers to affect integrity via unknown vectors related to DM Others.
157 CVE-2014-0378 2014-01-15 2014-03-06
4.1
None Local Medium ??? Partial Partial Partial
Unspecified vulnerability in the Spatial component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors.
158 CVE-2014-0377 2014-01-15 2014-03-06
4.0
None Remote Low ??? Partial None None
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via vectors related to SYS tables.
159 CVE-2014-0376 2014-01-15 2022-05-13
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an improper check for "code permissions when creating document builder factories."
160 CVE-2014-0375 2014-01-15 2022-05-13
5.8
None Remote Medium Not required Partial Partial None
Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0403.
161 CVE-2014-0374 2014-01-15 2014-02-07
4.3
None Remote Medium Not required None Partial None
Unspecified vulnerability in the Oracle Portal component in Oracle Fusion Middleware 11.1.1.6 allows remote attackers to affect integrity via unknown vectors related to Page Parameters and Events.
162 CVE-2014-0373 2014-01-15 2022-05-13
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox.
163 CVE-2014-0372 1 2014-01-15 2018-10-09
5.5
None Remote Low ??? Partial Partial None
Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1, and 12.2.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to DM Others.
164 CVE-2014-0369 2014-01-15 2016-11-19
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Java Integration, a different vulnerability than CVE-2015-0366.
165 CVE-2014-0368 2014-01-15 2022-05-13
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to incorrect permission checks when listening on a socket, which allows attackers to escape the sandbox.
166 CVE-2014-0367 2014-01-15 2014-02-07
5.5
None Remote Low ??? Partial Partial None
Unspecified vulnerability in the Hyperion Essbase Administration Services component in Oracle Hyperion 11.1.2.1, 11.1.2.2, and 11.1.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Admin Console.
167 CVE-2014-0366 2014-01-15 2014-02-07
4.0
None Remote Low ??? Partial None None
Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, and 12.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Attachments.
168 CVE-2014-0262 264 +Priv 2014-01-15 2020-09-28
7.2
None Local Low Not required Complete Complete Complete
win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Server 2008 R2 SP1 does not properly consider thread-owned objects during the processing of window handles, which allows local users to gain privileges via a crafted application, aka "Win32k Window Handle Vulnerability."
169 CVE-2014-0261 20 DoS 2014-01-15 2018-10-12
4.0
None Remote Low ??? None None Partial
Microsoft Dynamics AX 4.0 SP2, 2009 SP1, 2012, and 2012 R2 allows remote authenticated users to cause a denial of service (instance outage) via crafted data to an Application Object Server (AOS) instance, aka "Query Filter DoS Vulnerability."
170 CVE-2014-0260 119 DoS Exec Code Overflow Mem. Corr. 2014-01-15 2018-10-30
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office Compatibility Pack SP3; Word Viewer; SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability."
171 CVE-2014-0259 119 DoS Exec Code Overflow Mem. Corr. 2014-01-15 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability."
172 CVE-2014-0258 119 DoS Exec Code Overflow Mem. Corr. 2014-01-15 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Word 2003 SP3 and 2007 SP3, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability."
173 CVE-2014-0031 264 2014-01-15 2014-02-25
4.0
None Remote Low ??? Partial None None
The (1) ListNetworkACL and (2) listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request.
174 CVE-2014-0028 264 Bypass +Info 2014-01-24 2015-01-03
4.3
None Local Network Medium Not required Partial None Partial
libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny functions in the event registration API.
175 CVE-2014-0022 20 Bypass 2014-01-26 2014-01-27
5.0
None Remote Low Not required None Partial None
The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package.
176 CVE-2014-0010 352 CSRF 2014-01-20 2020-12-01
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow remote attackers to hijack the authentication of administrators for requests that delete (1) categories or (2) fields.
177 CVE-2014-0009 264 2014-01-20 2020-12-01
5.5
None Remote Low ??? Partial Partial None
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request.
178 CVE-2014-0008 255 +Info 2014-01-20 2020-12-01
4.0
None Remote Low ??? Partial None None
lib/adminlib.php in Moodle through 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 logs cleartext passwords, which allows remote authenticated administrators to obtain sensitive information by reading the Config Changes Report.
179 CVE-2014-0006 200 +Info 2014-01-23 2014-03-08
4.3
None Remote Medium Not required Partial None None
The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack.
180 CVE-2014-0001 119 DoS Exec Code Overflow 2014-01-31 2019-12-17
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string.
181 CVE-2013-7318 79 XSS 2014-01-29 2014-08-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in BusinessFlow/login in AlgoSec Firewall Analyzer 6.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
182 CVE-2013-7317 79 XSS 2014-01-24 2014-02-25
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf.
183 CVE-2013-7316 79 1 XSS 2014-01-24 2018-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html.
184 CVE-2013-7315 264 DoS CSRF 2014-01-23 2022-04-11
6.8
None Remote Medium Not required Partial Partial Partial
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
185 CVE-2013-7314 DoS +Info 2014-01-23 2014-01-23
6.8
None Remote Medium Not required Partial Partial Partial
The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
186 CVE-2013-7313 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation in Juniper Junos through 13.x, JunosE, and ScreenOS through 6.3.x does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
187 CVE-2013-7312 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation on Enterasys switches and routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
188 CVE-2013-7311 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation in Check Point Gaia OS R75.X and R76 and IPSO OS 6.2 R75.X and R76 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
189 CVE-2013-7310 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation on Yamaha routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
190 CVE-2013-7309 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation in Extreme Networks EXOS does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
191 CVE-2013-7308 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation on the D-Link DES-3810-28 switch with firmware R2.20.B017 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
192 CVE-2013-7307 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation on the Brocade Vyatta vRouter with software before 6.6R1 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
193 CVE-2013-7306 20 DoS +Info 2014-01-23 2014-01-23
5.4
None Local Network Medium Not required Partial Partial Partial
The OSPF implementation on Brocade routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.
194 CVE-2013-7305 255 2014-01-22 2014-01-23
4.3
None Remote Medium Not required None Partial None
fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user.
195 CVE-2013-7304 310 2014-01-22 2017-08-29
4.3
None Remote Medium Not required None Partial None
Check Point Endpoint Security MI Server through R73 3.0.0 HFA2.5 does not configure X.509 certificate validation for client devices, which allows man-in-the-middle attackers to spoof SSL servers by presenting an arbitrary certificate during a session established by a client.
196 CVE-2013-7303 79 XSS 2014-01-30 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.
197 CVE-2013-7299 200 +Info 2014-01-26 2017-08-29
5.0
None Remote Low Not required Partial None None
framework/common/messageheaderparser.cpp in Tntnet before 2.2.1 allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests.
198 CVE-2013-7298 399 DoS 2014-01-26 2017-08-29
5.0
None Remote Low Not required None None Partial
query_params.cpp in cxxtools before 2.2.1 allows remote attackers to cause a denial of service (infinite recursion and crash) via an HTTP query that contains %% (double percent) characters.
199 CVE-2013-7296 119 DoS Overflow 2014-01-26 2017-08-29
5.0
None Remote Low Not required None None Partial
The JBIG2Stream::readSegments method in JBIG2Stream.cc in Poppler before 0.24.5 does not use the correct specifier within a format string, which allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted PDF file.
200 CVE-2013-7295 310 Bypass 2014-01-17 2014-02-12
4.0
None Remote High Not required Partial Partial None
Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors.
Total number of vulnerabilities : 482   Page : 1 2 3 4 (This Page)5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.