Затронутые продукты: |  | STORESPRITE : Storesprite 7 |
|  | JOBSCHEDULER : JobScheduler 1.7 |
|  | OSCLASS : OsClass 3.4 |
|  | AVOLVE : ProjectDox 8.1 |
|  | PHPCAS : php-Cas 1.3 |
|  | INNOVATIVESERVIC : Sierra Library Services 1.2 |
|  | AEROHIVE : Aerohive Hive Manager 6.1 |
|  | S3QL : s3ql 1.11 |
|  | INNOVATIVEINTERF : Encore Discovery Solution 4.3 |
|  | OWNCLOUD : owncloud 7.0 |
|  | VEMBU : Storegrid 4.4 |
|  | ZEND : Zend 1.12 |
|  | ARTICLEFR : ArticleFR 11.06 |
|  | E2 : E2 2844 |
|  | E107 : E107 2.0 |
|  | KANBOARD : Kanboard 1.0 |
|  | WEB2PROJECT : web2Project 3.1 |
|  | ENDECA : Endeca Latitude 2.2 |
|  | CGIHTTPSERVER : CGIHTTPServer 3.4 |
CVE: |  | CVE-2014-6308 (Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.) |
|  | CVE-2014-6280 (Multiple cross-site scripting (XSS) vulnerabilities in OSClass before 3.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) action or (2) nsextt parameter to oc-admin/index.php or the (3) nsextt parameter in an items_reported action to oc-admin/index.php.) |
|  | CVE-2014-5393 (Directory traversal vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote authenticated users with the info permission to read arbitrary files in the webroot via unspecified vectors.) |
|  | CVE-2014-5392 (XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.) |
|  | CVE-2014-5391 (Cross-site scripting (XSS) vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote attackers to inject arbitrary web script or HTML via the hash property (location.hash).) |
|  | CVE-2014-5136 (Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.) |
|  | CVE-2014-5129 (Cross-site scripting (XSS) vulnerability in Avolve Software ProjectDox 8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.) |
|  | CVE-2014-5127 (Open redirect vulnerability in Innovative Interfaces Encore Discovery Solution 4.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter.) |
|  | CVE-2014-4914 |
|  | CVE-2014-4736 (SQL injection vulnerability in E2 before 2.4 (2845) allows remote attackers to execute arbitrary SQL commands via the note-id parameter to @actions/comment-process.) |
|  | CVE-2014-4734 (Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.) |
|  | CVE-2014-4172 |
|  | CVE-2014-4170 |
|  | CVE-2014-3920 (Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.) |
|  | CVE-2014-3810 (SQL injection vulnerability in administration/profiles.php in BoonEx Dolphin 7.1.4 and earlier allows remote authenticated administrators to execute arbitrary SQL commands via the members[] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-4333.) |
|  | CVE-2014-3737 (Cross-site scripting (XSS) vulnerability in templates/defaultheader.php in Lamp Design Storesprite before 7 - 19-06-14, when using the currency selection dropdown, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to brand.php, related to the currencyUrl function.) |
|  | CVE-2014-3119 |
|  | CVE-2014-1546 (The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set.) |
|  | CVE-2014-0992 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter.) |
|  | CVE-2014-0991 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter.) |
|  | CVE-2014-0990 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter.) |
|  | CVE-2014-0989 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.) |
|  | CVE-2014-0988 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.) |
|  | CVE-2014-0987 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.) |
|  | CVE-2014-0986 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.) |
|  | CVE-2014-0985 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.) |
|  | CVE-2014-0485 (S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.) |