CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2014-1295 287 +Info 2014-04-23 2019-03-08
6.8
None Remote Medium Not required Partial Partial Partial
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
352 CVE-2014-1217 264 2014-04-28 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and credentials via unspecified vectors.
353 CVE-2014-1216 1 Exec Code 2014-04-22 2014-04-22
7.5
None Remote Low Not required Partial Partial Partial
FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers to execute arbitrary commands by defining a COMMAND_PATTERN and TEST_RUNNER in the pageContent parameter when editing a page.
354 CVE-2014-1210 310 2014-04-11 2014-04-14
5.8
None Remote Medium Not required Partial Partial None
VMware vSphere Client 5.0 before Update 3 and 5.1 before Update 2 does not properly validate X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
355 CVE-2014-1209 20 2014-04-11 2014-04-14
9.3
None Remote Medium Not required Complete Complete Complete
VMware vSphere Client 4.0, 4.1, 5.0 before Update 3, and 5.1 before Update 2 does not properly validate updates to Client files, which allows remote attackers to trigger the downloading and execution of an arbitrary program via unspecified vectors.
356 CVE-2014-0984 264 1 2014-04-17 2018-10-10
4.3
None Remote Medium Not required Partial None None
The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.
357 CVE-2014-0932 79 XSS 2014-04-21 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Sterling Order Management 8.5 before HF105 and Sterling Selling and Fulfillment Foundation 9.0 before HF85 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
358 CVE-2014-0924 20 Bypass 2014-04-15 2017-08-29
4.6
None Remote High ??? Partial Partial Partial
IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 does not verify that all of the characters of a password are correct, which makes it easier for remote authenticated users to bypass intended access restrictions by leveraging knowledge of a password substring.
359 CVE-2014-0923 20 DoS 2014-04-15 2017-08-29
4.3
None Remote Medium Not required None None Partial
IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (daemon restart) via crafted MQ Telemetry Transport (MQTT) authentication data.
360 CVE-2014-0922 20 DoS 2014-04-15 2017-08-29
4.3
None Remote Medium Not required None None Partial
IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (resource consumption) via WebSockets MQ Telemetry Transport (MQTT) data.
361 CVE-2014-0921 20 DoS 2014-04-15 2017-08-29
4.3
None Remote Medium Not required None None Partial
The server in IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote attackers to cause a denial of service (daemon crash and message data loss) via malformed headers during a WebSockets connection upgrade.
362 CVE-2014-0920 255 +Info 2014-04-10 2017-08-29
4.0
None Remote Low ??? Partial None None
IBM SPSS Analytic Server 1.0 before IF002 and 1.0.1 before IF004 logs cleartext passwords, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
363 CVE-2014-0908 264 +Info 2014-04-10 2017-08-29
6.0
None Remote Medium ??? Partial Partial Partial
The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.
364 CVE-2014-0901 79 XSS 2014-04-02 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Social Rendering implementation in the IBM Connections integration in IBM WebSphere Portal 8.0.0.x before 8.0.0.1 CF11 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
365 CVE-2014-0892 200 Exec Code +Info 2014-04-23 2017-08-29
5.0
None Remote Low Not required Partial None None
IBM Notes and Domino 8.5.x before 8.5.3 FP6 IF3 and 9.x before 9.0.1 FP1 on 32-bit Linux platforms use incorrect gcc options, which makes it easier for remote attackers to execute arbitrary code by leveraging the absence of the NX protection mechanism and placing crafted x86 code on the stack, aka SPR KLYH9GGS9W.
366 CVE-2014-0828 79 XSS 2014-04-02 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the WCM (Web Content Manager) UI in IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1.5.3 CF27, 7.0.0.x through 7.0.0.2 CF27, and 8.0.0.x before 8.0.0.1 CF11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
367 CVE-2014-0827 79 XSS 2014-04-05 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM InfoSphere Optim Workload Replay 1.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
368 CVE-2014-0789 119 DoS Overflow 2014-04-04 2014-04-04
7.8
None Remote Low Not required None None Complete
Multiple buffer overflows in the OPC Automation 2.0 Server Object ActiveX control in Schneider Electric OPC Factory Server (OFS) TLXCDSUOFS33 3.5 and earlier, TLXCDSTOFS33 3.5 and earlier, TLXCDLUOFS33 3.5 and earlier, TLXCDLTOFS33 3.5 and earlier, and TLXCDLFOFS33 3.5 and earlier allow remote attackers to cause a denial of service via long arguments to unspecified functions.
369 CVE-2014-0787 119 Exec Code Overflow 2014-04-12 2017-09-17
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet.
370 CVE-2014-0780 22 Exec Code Dir. Trav. 2014-04-25 2017-09-16
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.
371 CVE-2014-0778 200 +Info 2014-04-19 2014-04-21
5.0
None Remote Low Not required Partial None None
The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.
372 CVE-2014-0777 119 DoS Overflow 2014-04-11 2014-04-14
7.8
None Remote Low Not required None None Complete
The Modbus slave/outstation driver in the OPC Drivers 1.0.20 and earlier in IOServer OPC Server allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted packet.
373 CVE-2014-0773 2014-04-12 2014-04-14
7.5
None Remote Low Not required Partial Partial Partial
The CreateProcess method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows remote attackers to execute (1) setup.exe, (2) bwvbprt.exe, and (3) bwvbprtl.exe programs from arbitrary pathnames via a crafted argument, as demonstrated by a UNC share pathname.
374 CVE-2014-0772 200 +Info 2014-04-12 2014-04-14
5.0
None Remote Low Not required Partial None None
The OpenUrlToBufferTimeout method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a file: URL.
375 CVE-2014-0771 200 +Info 2014-04-12 2014-04-14
5.0
None Remote Low Not required Partial None None
The OpenUrlToBuffer method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a file: URL.
376 CVE-2014-0770 119 Exec Code Overflow 2014-04-12 2014-04-14
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long UserName parameter.
377 CVE-2014-0769 287 2014-04-25 2014-04-25
9.3
None Remote Medium Not required Complete Complete Complete
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.
378 CVE-2014-0768 119 Exec Code Overflow 2014-04-12 2015-07-09
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long AccessCode2 argument.
379 CVE-2014-0767 119 Exec Code Overflow 2014-04-12 2015-07-09
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long AccessCode argument.
380 CVE-2014-0766 119 Exec Code Overflow 2014-04-12 2015-07-09
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long NodeName2 argument.
381 CVE-2014-0765 119 Exec Code Overflow 2014-04-12 2015-07-09
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long GotoCmd argument.
382 CVE-2014-0764 119 Exec Code Overflow 2014-04-12 2015-07-09
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long NodeName parameter.
383 CVE-2014-0763 89 Exec Code Sql 2014-04-12 2015-07-24
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary SQL commands via SOAP requests to unspecified functions.
384 CVE-2014-0760 287 DoS Exec Code 2014-04-25 2014-04-25
9.3
None Remote Medium Not required Complete Complete Complete
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
385 CVE-2014-0645 255 +Info 2014-04-17 2014-04-17
4.7
None Local Medium Not required Complete None None
EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Management Appliance (FMA) 7.x store DES password hashes for the root, super, and admin accounts, which makes it easier for context-dependent attackers to obtain sensitive information via a brute-force attack.
386 CVE-2014-0644 200 +Info 2014-04-17 2014-04-17
7.8
None Remote Low Not required Complete None None
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.
387 CVE-2014-0642 264 Bypass 2014-04-15 2014-04-16
5.5
None Remote Low ??? Partial Partial None
EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors.
388 CVE-2014-0638 79 XSS 2014-04-04 2014-04-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in RSA Adaptive Authentication (On-Premise) 6.x and 7.x before 7.1 SP0 P2 allows remote attackers to inject arbitrary web script or HTML via vectors involving FRAME elements, related to a "cross-frame scripting" issue.
389 CVE-2014-0637 79 XSS 2014-04-04 2014-04-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the back-office case-management application in RSA Adaptive Authentication (On-Premise) 6.x and 7.x before 7.1 SP0 P2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
390 CVE-2014-0636 310 2014-04-11 2021-12-09
5.8
None Remote Medium Not required Partial Partial None
EMC RSA BSAFE Micro Edition Suite (MES) 3.2.x before 3.2.6 and 4.0.x before 4.0.5 does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate chain.
391 CVE-2014-0635 287 2014-04-01 2014-04-01
7.5
None Remote Medium ??? Complete Partial Partial
Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote attackers to hijack web sessions via unspecified vectors.
392 CVE-2014-0634 20 +Info 2014-04-01 2014-04-01
6.0
None Remote Medium ??? Partial Partial Partial
EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
393 CVE-2014-0633 20 Exec Code 2014-04-01 2014-04-01
7.7
None Local Network Low ??? Complete Complete Complete
The GUI in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not properly validate session-timeout values, which might make it easier for remote attackers to execute arbitrary code by leveraging an unattended workstation.
394 CVE-2014-0632 22 Exec Code Dir. Trav. 2014-04-01 2015-10-13
9.0
None Remote Low ??? Complete Complete Complete
Directory traversal vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote authenticated users to execute arbitrary code via unspecified vectors.
395 CVE-2014-0614 DoS 2014-04-14 2014-04-15
7.1
None Remote Medium Not required None None Complete
Juniper Junos 13.2 before 13.2R3 and 13.3 before 13.3R1, when PIM is enabled, allows remote attackers to cause a denial of service (kernel panic and crash) via a large number of crafted IGMP packets.
396 CVE-2014-0612 DoS 2014-04-14 2014-04-19
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Juniper Junos before 11.4R10-S1, before 11.4R11, 12.1X44 before 12.1X44-D26, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, and 12.1X46 before 12.1X46-D10, when Dynamic IPsec VPN is configured, allows remote attackers to cause a denial of service (new Dynamic VPN connection failures and CPU and disk consumption) via unknown vectors.
397 CVE-2014-0592 264 Bypass 2014-04-04 2014-04-04
7.5
None Remote Low Not required Partial Partial Partial
Barclamp (aka barclamp-network) 1.7 for the Crowbar Framework, as used in SUSE Cloud 3, does not enable netfilter on bridges when creating new instances, which allows remote attackers to bypass security group restrictions via unspecified vectors, related to floating IPs.
398 CVE-2014-0515 119 Exec Code Overflow 2014-04-29 2018-12-13
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.
399 CVE-2014-0514 264 2 Exec Code 2014-04-15 2018-10-09
9.3
None Remote Medium Not required Complete Complete Complete
The Adobe Reader Mobile application before 11.2 for Android does not properly restrict use of JavaScript, which allows remote attackers to execute arbitrary code via a crafted PDF document, a related issue to CVE-2012-6636.
400 CVE-2014-0509 79 XSS 2014-04-08 2017-12-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Total number of vulnerabilities : 675   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.