Информационная безопасность
[RU] switch to English


Утечка информации в EMC Documentum Content Server
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13728
Тип:удаленная
Уровень опасности:
5/10
Описание:Возможно получить доступ к закрытым папкам.
Затронутые продукты:EMC : Documentum Content Server 7.1
CVE:CVE-2014-0642 (EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors.)
Оригинальный текстdocumentEMC, ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability (05.05.2014)

Повышение привилегий в EMC RSA Data Loss Prevention
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13729
Тип:удаленная
Уровень опасности:
5/10
Описание:Повышение привилегий из-за некорректной работы с сессиями.
Затронутые продукты:EMC : RSA Data Loss Prevention 9.6
CVE:CVE-2014-0624 (EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properly manage sessions, which allows remote authenticated users to gain privileges and bypass intended content-reading restrictions via unspecified vectors.)
Оригинальный текстdocumentEMC, ESA-2014-003: RSA® Data Loss Prevention Improper Session Management Vulnerability (05.05.2014)

Уязвимости безопасности в EMC RSA BSAFE Micro Edition Suite
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13730
Тип:удаленная
Уровень опасности:
5/10
Описание:Несколько уязвимостей SSL связанных с атакой BEAST и проверкой цепочки сертификатов.
Затронутые продукты:EMC : RSA BSAFE Micro Edition Suite 4.0
CVE:CVE-2014-0636 (EMC RSA BSAFE Micro Edition Suite (MES) 3.2.x before 3.2.6 and 4.0.x before 4.0.5 does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate chain.)
 CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.)
Оригинальный текстdocumentEMC, ESA-2014-019: RSA BSAFE® Micro Edition Suite Certificate Chain Processing Vulnerability (05.05.2014)
 documentEMC, ESA-2012-032: RSA BSAFE® Micro Edition Suite Security Update for BEAST (Browser Exploit Against SSL/TLS) attacks (05.05.2014)

Многочисленные уязвимости безопасности в Plex Media Server
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13732
Тип:удаленная
Уровень опасности:
5/10
Описание:Утечка информации, обход защиты, межсайтовые запросы.
Затронутые продукты:PLEX : Plex Media Server 0.9
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20140411-0 :: Multiple vulnerabilities in Plex Media Server (05.05.2014)

DoS против OpenAFS
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13734
Тип:удаленная
Уровень опасности:
5/10
Описание:Переполнение буфера в RPC-вызове GetStatistics64()
Затронутые продукты:OPENAFS : OpenAFS 1.6
CVE:CVE-2014-0159 (Buffer overflow in the GetStatistics64 remote procedure call (RPC) in OpenAFS 1.4.8 before 1.6.7 allows remote attackers to cause a denial of service (crash) via a crafted statsVersion argument.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2899-1] openafs security update (05.05.2014)

Многочисленные уязвимости безопасности в Cisco ASA
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13735
Тип:удаленная
Уровень опасности:
6/10
Описание:Повышение привилегий, DoS, обход аутентификации.
Затронутые продукты:CISCO : Cisco ASA 5500
 CISCO : Cisco ASA 1000V
 CISCO : Cisco ASA Services Module
CVE:CVE-2014-2129 (The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.48), 8.4 before 8.4(6.5), 9.0 before 9.0(3.1), and 9.1 before 9.1(2.5) allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted SIP packets, aka Bug ID CSCuh44052.)
 CVE-2014-2128 (The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.)
 CVE-2014-2127 (Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099.)
 CVE-2014-2126 (Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47), 8.4 before 8.4(7.5), 8.7 before 8.7(1.11), 9.0 before 9.0(3.10), and 9.1 before 9.1(3.4) allows remote authenticated users to gain privileges by leveraging level-0 ASDM access, aka Bug ID CSCuj33496.)
Файлы: Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software

Переполнение буфера в Blackberry Z10
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13736
Тип:удаленная
Уровень опасности:
5/10
Описание:Переполнение буфера в сервисе qconndoor
Затронутые продукты:BLACKBERRY : Blackberry Z10
CVE:CVE-2014-2389 (Stack-based buffer overflow in a certain decryption function in qconnDoor on BlackBerry Z10 devices with software 10.1.0.2312, when developer-mode has been previously enabled, allows remote attackers to execute arbitrary code via a crafted packet in a TCP session on a wireless network.)
Оригинальный текстdocumentmodzero security, BlackBerry Z 10 - Buffer Overflow in qconnDoor [MZ-13-05] (05.05.2014)

Уязвимости безопасности в Open-Xchange
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13737
Тип:удаленная
Уровень опасности:
5/10
Описание:При сбросе пароля пароль передается в URI, межсайтосвый скриптинг.
Затронутые продукты:OPENXCHANGE : Open-Xchange 7.4
CVE:CVE-2014-2393 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.)
 CVE-2014-2392 (The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.)
 CVE-2014-2391 (The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request.)
Оригинальный текстdocumentOPENXCHANGE, Open-Xchange Security Advisory 2014-04-08 (05.05.2014)

DoS против prosody
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13738
Тип:удаленная
Уровень опасности:
5/10
Описание:Исчерпание ресурсов через zip-бомбу.
Затронутые продукты:PROSODY : Prosody 1.3
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2895-1] prosody security update (05.05.2014)

DoS против HP IceWall Identity Manager / HP IceWall SSO Password Reset Option
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13739
Тип:удаленная
Уровень опасности:
5/10
Описание:DoS связанный с загрузкой файлов.
Затронутые продукты:HP : IceWall SSO 10.0
 HP : IceWall Identity Manager 5.0
CVE:CVE-2014-2600 (Unspecified vulnerability in HP IceWall Identity Manager 4.0 through SP1 and 5.0 and IceWall SSO 10.0 Password Reset Option, when Apache Commons FileUpload is used, allows remote authenticated users to cause a denial of service via unknown vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBGN02986 rev.1 - HP IceWall Identity Manager and HP IceWall SSO Password Reset Option Running Apache Commons FileUpload, Remote Denial of Service (DoS) (05.05.2014)

Переполнение буфера в Free Download Manager
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13740
Тип:клиент
Уровень опасности:
5/10
Описание:Переполнение буфера через имя файла.
Затронутые продукты:FREEDOWNLOADMANA : Free Download Manager 3.9
CVE:CVE-2014-2087 (Stack-based buffer overflow in the CDownloads_Deleted::UpdateDownload function in Downloads_Deleted.cpp in Free Download Manager 3.9.3 build 1360, 3.8 build 1173, 3.0 build 852, and earlier allows user-assisted remote attackers to execute arbitrary code via a long file name, which is then deleted from the download queue by the user.)
Оригинальный текстdocumentJulien Ahrens, [CVE-2014-2087] Free Download Manager CDownloads_Deleted::UpdateDownload() Buffer Overflow Remote Code Execution (05.05.2014)

Уязвимости безопасности в owncloud
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13741
Тип:удаленная
Уровень опасности:
5/10
Описание:В версиях 5.0.15 и 6.0.2 закрыто несколько неанонсированных уязвимостей безопасности.
Затронутые продукты:OWNCLOUD : owncloud 5.0
 OWNCLOUD : owncloud 6.0
CVE:CVE-2014-2044 (Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.)
Оригинальный текстdocumentadvisories_(at)_portcullis-security.com, CVE-2014-2044 - Remote Code Execution in ownCloud (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:055 ] owncloud (05.05.2014)

Переполнение буфера в GetGo Download Manager
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13742
Тип:клиент
Уровень опасности:
5/10
Описание:Переполнение буфера при разборе ответа сервера.
Затронутые продукты:GETGOSOFT : GetGo Download Manager 4.0
CVE:CVE-2014-2206 (Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a long HTTP Response Header.)
Оригинальный текстdocumentJulien Ahrens, [CVE-2014-2206] GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution (05.05.2014)

Многочисленные уязвимости безопасности в продуктах Oracle / Sun / MySQL / PeopleSoft / OpenJDK
дополнено с 29 января 2014 г.
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13537
Тип:библиотека
Уровень опасности:
9/10
Описание:144 различных уязвимости закрыто в ежеквартальном обновлении.
Затронутые продукты:ORACLE : Oracle Enterprise Data Quality 9.0
 ORACLE : GlassFish Server 2.1
 ORACLE : Sun Java Application Server 8.2
 ORACLE : Oracle HTTP Server 11g
 ORACLE : Oracle Internet Directory 11.1
 ORACLE : iPlanet Web Proxy Server 4.0
 ORACLE : iPlanet Web Server 6.1
 ORACLE : iPlanet Web Server 7.0
 ORACLE : Oracle Reports Developer 11.1
 ORACLE : Oracle Traffic Director 11.1
 ORACLE : Oracle WebCenter Portal 11.1
 ORACLE : Oracle WebCenter Sites 11.1
 ORACLE : Hyperion Essbase Administration Services 11.1
 ORACLE : Hyperion Strategic Finance 11.1
 ORACLE : Agile Product Lifecycle Management for Process 6.1
 ORACLE : Demantra Demand Management 7.3
 ORACLE : Demantra Demand Management 12.2
 ORACLE : PeopleSoft Enterprise HRMS 9.2
 ORACLE : PeopleSoft Enterprise PeopleTools 8.53
 ORACLE : PeopleSoft Enterprise SCM Services Procurement 9.2
 ORACLE : VirtualBox 4.3
 ORACLE : MySQL Enterprise Monitor 3.0
 ORACLE : Solaris 8
 ORACLE : Solaris 9
 ORACLE : Solaris 10
 ORACLE : Oracle E-Business Suite 11i
 ORACLE : Oracle 11g
 ORACLE : JDK 7
 ORACLE : JRE 7
 ORACLE : JRockit 28.2
 ORACLE : JRockit 27.7
 ORACLE : AutoVue 20.1
 ORACLE : Oracle E-Business Suite 12i
 ORACLE : MySQL 5.6
 ORACLE : Solaris 11.1
 ORACLE : Oracle 12c
 ORACLE : Fusion Middleware 11g
 ORACLE : Oracle Forms and Reports 11g
 ORACLE : Oracle HTTP Server 12c
 ORACLE : Oracle Identity Manager 11.1
 ORACLE : Oracle Portal 11.1
 ORACLE : Oracle Transportation Management 6.3
 ORACLE : Siebel 8.2
 ORACLE : Oracle iLearning 6.0
 ORACLE : FLEXCUBE Private Banking 12.0
 ORACLE : JavaFX 2.2
 ORACLE : Oracle Secure Global Desktop 5
 ORACLE : MySQL Enterprise Monitor 2.3
 ORACLE : Fusion Middleware 12c
 ORACLE : Oracle Enterprise Data Quality 8.1
CVE:CVE-2014-0445 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology, a different vulnerability than CVE-2014-0381.)
 CVE-2014-0444 (Unspecified vulnerability in the Oracle AutoVue Electro-Mechanical Professional component in Oracle Supply Chain Products Suite 20.1.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Web General, a different vulnerability than CVE-2013-5868 and CVE-2013-5871.)
 CVE-2014-0443 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 allows remote attackers to affect integrity via unknown vectors related to Security.)
 CVE-2014-0441 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect availability via unknown vectors related to Integration Broker.)
 CVE-2014-0440 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect availability via vectors related to PIA Core Technology.)
 CVE-2014-0439 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Report Distribution.)
 CVE-2014-0438 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Panel Processor.)
 CVE-2014-0437 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.)
 CVE-2014-0435 (Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, and 6.3.2 allows remote authenticated users to affect availability via unknown vectors related to Data, Domain & Function Security.)
 CVE-2014-0434 (Unspecified vulnerability in the Oracle Agile Product Lifecycle Management for Process component in Oracle Supply Chain Products Suite 6.0, 6.1, and 6.1.1 allows remote attackers to affect integrity via unknown vectors related to Installation.)
 CVE-2014-0433 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote attackers to affect availability via unknown vectors related to Thread Pooling.)
 CVE-2014-0431 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5881.)
 CVE-2014-0430 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.)
 CVE-2014-0428 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to "insufficient security checks in IIOP streams," which allows attackers to escape the sandbox.)
 CVE-2014-0427 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via vectors related to FTS.)
 CVE-2014-0425 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Services Procurement component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.)
 CVE-2014-0424 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0418.)
 CVE-2014-0423 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding.)
 CVE-2014-0422 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to missing package access checks in the Naming / JNDI component, which allows attackers to escape the sandbox.)
 CVE-2014-0420 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication.)
 CVE-2014-0419 (Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization SGD before 4.63 with December 2013 PSU, 4.71, 5.0 with December 2013 PSU, and 5.10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration Console and Workspace Web Applications.)
 CVE-2014-0418 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0424.)
 CVE-2014-0417 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX 2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.)
 CVE-2014-0416 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance.)
 CVE-2014-0415 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0418, and CVE-2014-0424.)
 CVE-2014-0412 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.)
 CVE-2014-0411 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake.)
 CVE-2014-0410 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.)
 CVE-2014-0408 (Unspecified vulnerability in Oracle Java SE 7u45, when running on OS X, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.)
 CVE-2014-0407 (Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.)
 CVE-2014-0406 (Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0404.)
 CVE-2014-0405 (Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.)
 CVE-2014-0404 (Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0406.)
 CVE-2014-0403 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0375.)
 CVE-2014-0402 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking.)
 CVE-2014-0401 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors.)
 CVE-2014-0400 (Unspecified vulnerability in the Oracle Internet Directory component in Oracle Fusion Middleware 11.1.1.6 and 11.1.1.7 allows remote authenticated users to affect confidentiality via vectors related to OID LDAP server.)
 CVE-2014-0399 (Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.2, 6.3, 6.3.1, and 6.3.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Data, Domain & Function Security.)
 CVE-2014-0398 (Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, and 12.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Discoverer.)
 CVE-2014-0396 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Portal - Web Services.)
 CVE-2014-0395 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Updates Environment Mgmt, a different vulnerability than CVE-2014-0394.)
 CVE-2014-0394 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Updates Environment Mgmt, a different vulnerability than CVE-2014-0395.)
 CVE-2014-0393 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB.)
 CVE-2014-0392 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.)
 CVE-2014-0391 (Unspecified vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.0, and 11.1.2.1 allows remote attackers to affect confidentiality via unknown vectors related to End User Self Service.)
 CVE-2014-0390 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers to affect integrity via unknown vectors related to Java Web Console.)
 CVE-2014-0389 (Unspecified vulnerability in Oracle iLearning 6.0 allows remote attackers to affect integrity via unknown vectors related to Learner Pages.)
 CVE-2014-0388 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS Human Resources component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Org and Workforce Dev.)
 CVE-2014-0387 (Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2014-0386 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.)
 CVE-2014-0385 (Unspecified vulnerability in Oracle Java SE 7u45, when installing on OS X, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install.)
 CVE-2014-0383 (Unspecified vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.2.0 and 11.1.2.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Identity Console.)
 CVE-2014-0382 (Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect availability via unknown vectors related to JavaFX.)
 CVE-2014-0381 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Core Technology, a different vulnerability than CVE-2014-0445.)
 CVE-2014-0380 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to MultiChannel Framework (MCF).)
 CVE-2014-0379 (Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, and 12.2.2 allows remote attackers to affect integrity via unknown vectors related to DM Others.)
 CVE-2014-0378 (Unspecified vulnerability in the Spatial component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2014-0377 (Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via vectors related to SYS tables.)
 CVE-2014-0376 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an improper check for "code permissions when creating document builder factories.")
 CVE-2014-0375 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0403.)
 CVE-2014-0374 (Unspecified vulnerability in the Oracle Portal component in Oracle Fusion Middleware 11.1.1.6 allows remote attackers to affect integrity via unknown vectors related to Page Parameters and Events.)
 CVE-2014-0373 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox.)
 CVE-2014-0372 (Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1, and 12.2.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to DM Others.)
 CVE-2014-0371 (Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, and 12.2.2 allows remote authenticated users to affect integrity via unknown vectors related to DM Others.)
 CVE-2014-0370 (Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Clinical Trip Report.)
 CVE-2014-0369 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Java Integration.)
 CVE-2014-0368 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to incorrect permission checks when listening on a socket, which allows attackers to escape the sandbox.)
 CVE-2014-0367 (Unspecified vulnerability in the Hyperion Essbase Administration Services component in Oracle Hyperion 11.1.2.1, 11.1.2.2, and 11.1.2.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Admin Console.)
 CVE-2014-0366 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, and 12.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Attachments.)
 CVE-2013-5910 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that CanonicalizerBase.java in the XML canonicalizer allows untrusted code to access mutable byte arrays.)
 CVE-2013-5909 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Org and Workforce Dev.)
 CVE-2013-5908 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling.)
 CVE-2013-5907 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is due to incorrect input validation in LookupProcessor.cpp in the ICU Layout Engine, which allows attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted font file.)
 CVE-2013-5906 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install, a different vulnerability than CVE-2013-5905.)
 CVE-2013-5905 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install, a different vulnerability than CVE-2013-5906.)
 CVE-2013-5904 (Unspecified vulnerability in Oracle Java SE 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2013-5902 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.)
 CVE-2013-5901 (Unspecified vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.2.0 and 11.1.2.1 allows remote attackers to affect confidentiality via unknown vectors related to Identity Console.)
 CVE-2013-5900 (Unspecified vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.0, and 11.1.2.1 allows remote attackers to affect integrity via unknown vectors related to End User Self Service.)
 CVE-2013-5899 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality via unknown vectors related to Deployment.)
 CVE-2013-5898 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-0375 and CVE-2014-0403.)
 CVE-2013-5897 (Unspecified vulnerability in the Oracle Agile Product Lifecycle Management for Process component in Oracle Supply Chain Products Suite 6.0, 6.1, and 6.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Manage Data Cache.)
 CVE-2013-5896 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that com.sun.corba.se and its sub-packages are not included on the restricted package list.)
 CVE-2013-5895 (Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect confidentiality via unknown vectors related to JavaFX.)
 CVE-2013-5894 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.)
 CVE-2013-5893 (Unspecified vulnerability in Oracle Java SE 7u45 and Java SE Embedded 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to improper handling of methods in MethodHandles in HotSpot JVM, which allows attackers to escape the sandbox.)
 CVE-2013-5892 (Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.22, and 4.3.6 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.)
 CVE-2013-5891 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.)
 CVE-2013-5890 (Unspecified vulnerability in the Oracle Payroll component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, and 12.2.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Exception Reporting.)
 CVE-2013-5889 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.)
 CVE-2013-5888 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, when running with GNOME, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2013-5887 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect availability via unknown vectors related to Deployment.)
 CVE-2013-5886 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote attackers to affect integrity via unknown vectors related to Common Application Objects.)
 CVE-2013-5885 (Unspecified vulnerability in Oracle Solaris 11.1 allows local users to affect integrity via unknown vectors related to Audit.)
 CVE-2013-5884 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an incorrect check for code permissions by CORBA stub factories.)
 CVE-2013-5883 (Unspecified vulnerability in Oracle Solaris 8 allows local users to affect integrity and availability via unknown vectors related to Kernel.)
 CVE-2013-5882 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedures.)
 CVE-2013-5881 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2014-0431.)
 CVE-2013-5880 (Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 12.2.0, 12.2.1, and 12.2.2 allows remote attackers to affect confidentiality via unknown vectors related to DM Others.)
 CVE-2013-5879 (Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Maintenance.)
 CVE-2013-5878 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the the Security component does not properly handle null XML namespace (xmlns) attributes during XML document canonicalization, which allows attackers to escape the sandbox.)
 CVE-2013-5877 (Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, and 12.2.1 allows remote attackers to affect confidentiality via unknown vectors related to DM Others.)
 CVE-2013-5876 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via unknown vectors related to Kernel.)
 CVE-2013-5875 (Unspecified vulnerability in Oracle Solaris 11.1 allows local users to affect integrity and availability via vectors related to Role Based Access Control (RBAC).)
 CVE-2013-5874 (Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, and 12.2.2 allows local users to affect confidentiality via unknown vectors related to Logging.)
 CVE-2013-5873 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect confidentiality via unknown vectors related to Integration Broker.)
 CVE-2013-5872 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via vectors related to Name Service Cache Daemon (NSCD).)
 CVE-2013-5871 (Unspecified vulnerability in the Oracle AutoVue Electro-Mechanical Professional component in Oracle Supply Chain Products Suite 20.1.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Web General, a different vulnerability than CVE-2013-5868 and CVE-2014-0444.)
 CVE-2013-5870 (Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.)
 CVE-2013-5869 (Unspecified vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.6.0, 11.1.1.7.0, and 11.1.1.8.0 allows remote attackers to affect confidentiality via unknown vectors related to Page Service.)
 CVE-2013-5868 (Unspecified vulnerability in the Oracle AutoVue Electro-Mechanical Professional component in Oracle Supply Chain Products Suite 20.1.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Web General, a different vulnerability than CVE-2013-5871 and CVE-2014-0444.)
 CVE-2013-5860 (Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS.)
 CVE-2013-5858 (Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity via unknown vectors.)
 CVE-2013-5853 (Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, and 12.1.0.1 allows remote attackers to affect availability via unknown vectors.)
 CVE-2013-5834 (Unspecified vulnerability in Oracle Solaris 8 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to ps.)
 CVE-2013-5833 (Unspecified vulnerability in Oracle Solaris 8 and 9 allows local users to affect availability via unknown vectors related to Filesystem.)
 CVE-2013-5821 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11.1 allows local users to affect confidentiality, integrity, and availability via vectors related to RPC.)
 CVE-2013-5808 (Unspecified vulnerability in the Oracle iPlanet Web Proxy Server component in Oracle Fusion Middleware 4.0 allows remote attackers to affect confidentiality via unknown vectors related to Administration.)
 CVE-2013-5795 (Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1, 12.2.2, and 12.2.3 allows remote attackers to affect confidentiality via unknown vectors related to DM Others.)
 CVE-2013-5785 (Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.6, 11.1.1.7, and 11.1.2.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security and Authentication.)
 CVE-2013-5764 (Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, and 12.1.0.1 allows remote authenticated users to affect availability via unknown vectors.)
 CVE-2013-4316 (Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.)
 CVE-2013-3830 (Unspecified vulnerability in the Hyperion Strategic Finance component in Oracle Hyperion 11.1.2.1 and 11.1.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Server.)
 CVE-2013-2924 (Use-after-free vulnerability in International Components for Unicode (ICU), as used in Google Chrome before 30.0.1599.66 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.)
 CVE-2013-2071 (java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.)
 CVE-2013-2067 (java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.)
 CVE-2013-1862 (mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.)
 CVE-2013-1654 (Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.)
 CVE-2013-1620 (The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.)
 CVE-2012-4605 (The default configuration of the SMTP component in Websense Email Security 6.1 through 7.3 enables weak SSL ciphers in the "SurfControl plc\SuperScout Email Filter\SMTP" registry key, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and then conducting a brute-force attack against encrypted session data.)
 CVE-2012-3544 (Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.)
 CVE-2012-3499 (Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.)
 CVE-2007-1858 (The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.)
 CVE-2007-0009 (Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.)
 CVE-2003-1067 (Multiple buffer overflows in the (1) dbm_open function, as used in ndbm and dbm, and the (2) dbminit function in Solaris 2.6 through 9 allow local users to gain root privileges via long arguments to Xsun or other programs that use these functions.)
Оригинальный текстdocumentadvisories_(at)_portcullis-security.com, CVE-2014-5880 - Authentication Bypass in Oracle Demantra (05.05.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-5795 - Database Credentials Leak in Oracle Demantra (05.05.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-0372 - SQL Injection in Oracle Demantra (05.05.2014)
 documentMatthew Daley, Information on recently-fixed Oracle VM VirtualBox vulnerabilities (10.02.2014)
 documentSecurity Explorations, [SE-2013-01] Security vulnerabilities in Oracle Java Cloud Service (01.02.2014)
Файлы:Oracle Critical Patch Update Advisory - January 2014

DoS против Zarafa
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13743
Тип:удаленная
Уровень опасности:
5/10
Описание:Несколько возможностей DoS.
Затронутые продукты:ZARAFA : zarafa 7.1
CVE:CVE-2014-0079 (The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 7.1.8, 6.20.0, and earlier, when using certain build conditions, allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the password.")
 CVE-2014-0037 (The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 5.00 before 7.1.8 beta2 allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the username.")
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2014:044 ] zarafa (05.05.2014)

Выполнение кода в Jetro Cockpit Secure Browsing
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13744
Тип:клиент
Уровень опасности:
5/10
Описание:Выполнение кода через механизм печати в PDF.
Затронутые продукты:JETROCOCKPIT : Jetro COCKPIT Secure Browsing 4.3
CVE:CVE-2014-1861 (The client in Jetro COCKPIT Secure Browsing (JCSB) 4.3.1 and 4.3.3 does not validate the FileName element in an RDP_FILE_TRANSFER document, which allows remote JCSB servers to execute arbitrary programs by providing a .EXE extension.)
Оригинальный текстdocumentRonen Z, Jetro Cockpit Secure Browsing vulnerability - Client missing input validation allowing RCE (05.05.2014)

Уязвимости безопасности в MAAS
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13745
Тип:удаленная
Уровень опасности:
5/10
Описание:Слабые разрешения, межсайтовый скриптинг.
Затронутые продукты:UBUNTU : MaaS 1.4
CVE:CVE-2013-1070 (Cross-site scripting (XSS) vulnerability in the API in Ubuntu Metal as a Service (MaaS) 1.2 and 1.4 allows remote attackers to inject arbitrary web script or HTML via the op parameter to nodes/.)
 CVE-2013-1069 (Ubuntu Metal as a Service (MaaS) 1.2 and 1.4 uses world-readable permissions for txlongpoll.yaml, which allows local users to obtain RabbitMQ authentication credentials by reading the file.)
Оригинальный текстdocumentUBUNTU, [USN-2105-1] MAAS vulnerabilities (05.05.2014)

Утечка информации в parcimonie
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13746
Тип:удаленная
Уровень опасности:
3/10
Описание:Утечка информации через тайминги.
Затронутые продукты:PARCIMONIE : parcimonie 0.8
CVE:CVE-2014-1921 (parcimonie before 0.8.1, when using a large keyring, sleeps for the same amount of time between fetches, which allows attackers to correlate key fetches via unspecified vectors.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2860-1] parcimonie security update (05.05.2014)

Повышение привилегий в суперкомпьютерах Cray
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13747
Тип:локальная
Уровень опасности:
5/10
Описание:Повышение привилегий до root через aprun/apinit.
Затронутые продукты:CRAY : CLE 5.1
 CRAY : CLE 4.2
CVE:CVE-2014-0748 (apinit on Cray devices with CLE before 4.2.UP02 and 5.x before 5.1.UP00 does not use alpsauth data to validate the UID in a launch message, which allows local users to gain privileges via a modified aprun program, aka ID FN5912.)
Оригинальный текстdocumentjohn.fitzpatrick_(at)_mwrinfosecurity.com, [mwrlabs advisory][CVE-2014-0748] Cray Aprun/Apinit Privilege Escalation (05.05.2014)

Кратковременные условия в OpenSSL
дополнено с 1 мая 2014 г.
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13690
Тип:библиотека
Уровень опасности:
7/10
Описание:Кратковременные условия приводят к DoS или возможности инъекции данных.
Затронутые продукты:OPENSSL : OpenSSL 1.0
CVE:CVE-2014-0198 (The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.)
 CVE-2010-5298 (Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.)
Оригинальный текстdocumentUBUNTU, [USN-2192-1] OpenSSL vulnerabilities (05.05.2014)
 documentFREEBSD, FreeBSD Security Advisory FreeBSD-SA-14:09.openssl [REVISED] (01.05.2014)

Переполнение буфера в xbuffy
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13749
Тип:клиент
Уровень опасности:
5/10
Описание:Переполнение буфера при разборе писем.
Затронутые продукты:XBUFFY : xbuffy 3.3
CVE:CVE-2014-0469 (Stack-based buffer overflow in a certain Debian patch for xbuffy before 3.3.bl.3.dfsg-9 allows remote attackers to execute arbitrary code via the subject of an email, possibly related to indent subject lines.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2921-1] xbuffy security update (05.05.2014)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
дополнено с 5 мая 2014 г.
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13733
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:CACTI : cacti 0.8
 MYBB : Mybb 1.6
 POSTFIXADMIN : postfixadmin 2.3
 EXTPLORER : extplorer 2.1
 OTRS : otrs 3.2
 SYNOLOGY : Synology DSM 4.3
 NAGIOS : Nagios 3.5
 WOLTLAB : Woltlab Burning Board 3.9
 SENDY : Sendy 1.1
 ZEND : php-ZendFramework 1.12
 PHPFOX : PHPFox 3.7
 MEDIAWIKI : MediaWiki 1.22
 CHECKMK : check_mk 1.2
 ICINGA : icinga 1.9
 CACTI : php-font-lib 0.3
 WEBMIN : Webmin 1.590
 SEEDDMS : SeedDMS 4.3
 REXX : rexx Recruitment 7
 INTERWORX : InterWorx Control Panel 5.0
 VTIGER : Vtiger CRM 6.0
 PROCENTIA : IntelliPen 1.1
 PIVOTAL : Spring MVC 4.0
 ESTORE : E-store 2.0
 CLANSPHERE : ClanSphere 2011.4
 WORDPRESS : thecotton Themes 1.14
 PIVOTAL : Grails 2.3
 FITNESSWIKI : Fitnesse Wiki 20131110
 WORDPRSS : Media File Renamer 1.7
 COSMOSHOP : CosmoShop ePRO 10.17
 INTERWORX : InterWorx Web Control Panel 5.0
 PHPMYADMIN : phpMyAdmin 4.1
 TELLIGENT : Telligent Evolution 7.5
 PHPMYBACKUPPRO : phpMyBackupPro 2.4
 OPENWEBANALYTICS : Open Web Analytics 1.5
 WORDPRESS : Buddypress 1.9
 FREEPBX : FreePBX 2.11
 FREEPBX : FreePBX 12.0
CVE:CVE-2014-2685 (The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.)
 CVE-2014-2684 (The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.)
 CVE-2014-2683 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.)
 CVE-2014-2682 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.)
 CVE-2014-2681 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.)
 CVE-2014-2655 (SQL injection vulnerability in the gen_show_status function in functions.inc.php in Postfix Admin (aka postfixadmin) before 2.3.7 allows remote authenticated users to execute arbitrary SQL commands via a new alias.)
 CVE-2014-2570 (Cross-site scripting (XSS) vulnerability in www/make_subset.php in PHP Font Lib before 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the name parameter.)
 CVE-2014-2531 (SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) Resellers interface, as demonstrated by the "or" key in a pgn8state object in an i object in a JSON object.)
 CVE-2014-2332 (Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allows remote authenticated users to delete arbitrary files via a request to an unspecified link, related to "Insecure Direct Object References." NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.)
 CVE-2014-2331 (Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.)
 CVE-2014-2330 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Multisite GUI in Check_MK before 1.2.5i2 allow remote attackers to hijack the authentication of users for requests that (1) upload arbitrary snapshots, (2) delete arbitrary files, or possibly have other unspecified impact via unknown vectors.)
 CVE-2014-2329 (Multiple cross-site scripting (XSS) vulnerabilities in Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allow remote authenticated users to inject arbitrary web script or HTML via the (1) agent string for a check_mk agent, a (2) crafted request to a monitored host, which is not properly handled by the logwatch module, or other unspecified vectors.)
 CVE-2014-2328 (lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.)
 CVE-2014-2327 (Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users.)
 CVE-2014-2326 (Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-2280 (Cross-site scripting (XSS) vulnerability in the search feature in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter.)
 CVE-2014-2279 (Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278.)
 CVE-2014-2278 (Unrestricted file upload vulnerability in op/op.AddFile2.php in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension specified by the partitionIndex parameter and leveraging CVE-2014-2279.2 to access it via the directory specified by the fileId parameter.)
 CVE-2014-2244 (Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php.)
 CVE-2014-2243 (includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.)
 CVE-2014-2242 (includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.)
 CVE-2014-2043 (SQL injection vulnerability in Resources/System/Templates/Data.aspx in Procentia IntelliPen before 1.1.18.1658 allows remote authenticated users to execute arbitrary SQL commands via the value parameter.)
 CVE-2014-2040 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer plugin 1.7.0 for WordPress allow remote authenticated users with permissions to add media or edit media to inject arbitrary web script or HTML via unspecified parameters, as demonstrated by the title of an uploaded file.)
 CVE-2014-2035 (Cross-site scripting (XSS) vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.13 build 574 allows remote attackers to inject arbitrary web script or HTML via the i parameter.)
 CVE-2014-1904 (Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.)
 CVE-2014-1889
 CVE-2014-1888 (Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889.)
 CVE-2014-1879 (Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action.)
 CVE-2014-1695 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.)
 CVE-2014-1694 (Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.)
 CVE-2014-1610 (MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.)
 CVE-2014-1471 (SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.)
 CVE-2014-1455 (SQL injection vulnerability in the password reset functionality in Pearson eSIS Enterprise Student Information System, possibly 3.3.0.13 and earlier, allows remote attackers to execute arbitrary SQL commands via the new password.)
 CVE-2014-1454
 CVE-2014-1224 (Incomplete blacklist vulnerability in the user registration feature in rexx Recruitment R6.1 and R7 without "fixes from 2014-01-15" allows remote attackers to conduct cross-site scripting (XSS) attacks via the oninput event handler in the fname parameter to the default URI in /reg.)
 CVE-2014-1223 (Cross-site scripting (XSS) vulnerability in controlpanel/loading.aspx in Telligent Evolution before 6.1.19.36103, 7.x before 7.1.12.36162, 7.5.x, and 7.6.x before 7.6.7.36651 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: some of these details are obtained from third party information.)
 CVE-2014-1222 (Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action.)
 CVE-2014-1216 (FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers to execute arbitrary commands by defining a COMMAND_PATTERN and TEST_RUNNER in the pageContent parameter when editing a page.)
 CVE-2014-1206 (SQL injection vulnerability in the password reset page in Open Web Analytics (OWA) before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the owa_email_address parameter in a base.passwordResetRequest action to index.php.)
 CVE-2014-0097
 CVE-2014-0054 (The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.)
 CVE-2014-0053 (The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal.)
 CVE-2013-7196 (static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authenticated users to bypass intended "Only Me" restrictions and comment on a private publication via a request with a modified val[item_id] parameter for the publication.)
 CVE-2013-7195 (PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass intended "Only Me" restrictions and "like" a publication via a request that specifies the ID for the publication.)
 CVE-2013-7108 (Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.)
 CVE-2013-7106 (Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, or (4) page_num_selector function in cgi/cgiutils.c; (5) status_page_num_selector function in cgi/status.c; or (6) display_command_expansion function in cgi/config.c. NOTE: this can be exploited without authentication by leveraging CVE-2013-7107.)
 CVE-2013-6472 (MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.)
 CVE-2013-6453 (MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML.)
 CVE-2013-6452 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.)
 CVE-2013-6451
 CVE-2013-6429 (The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.)
 CVE-2013-6234
 CVE-2013-6233 (Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata.")
 CVE-2013-6232 (Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via a document note in the execution page.)
 CVE-2013-6231
 CVE-2013-5951 (Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer 2.1.3, when used as a component for Joomla!, allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) application.js.php in scripts/ or (2) admin.php, (3) copy_move.php, (4) functions.php, (5) header.php, or (6) upload.php in include/.)
 CVE-2013-4568 (Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.)
 CVE-2013-4152 (The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.)
 CVE-2012-4893 (Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to hijack the authentication of privileged users for requests that (1) read files or execute (2) tar, (3) zip, or (4) gzip commands, a different issue than CVE-2012-2982.)
 CVE-2012-2983 (file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.)
 CVE-2012-2982 (file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.)
 CVE-2012-2981 (Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the type (aka monitor type name) parameter.)
Оригинальный текстdocumentiedb.team_(at)_gmail.com, Wordpress all_in_one_carousel Plugin /XSS/CSRF/ Vuln (05.05.2014)
 documentiedb.team_(at)_gmail.com, Phpbb Forum Denial of Service Vulnerability (05.05.2014)
 documentrob.thomas_(at)_schmoozecom.com, [CVE-2014-1903] FreePBX 2.9 through 12 RCE (05.05.2014)
 documentiedb.team_(at)_gmail.com, Mybb All Version Denial of Service Vulnerability (05.05.2014)
 documentPietro Oliva, Wordpress plugin Buddypress <= 1.9.1 stored xss vulnerability (05.05.2014)
 documentPietro Oliva, Wordpress plugin Buddypress <= 1.9.1 privilege escalation vulnerability (05.05.2014)
 documentISecAuditors Security Advisories, [ISecAuditors Security Advisories] - Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com) (05.05.2014)
 documentAaron Zauner, Critical security flaws in Nagios NRPE client/server crypto (05.05.2014)
 documentno-reply_(at)_secureworks.com, [SWRX-2014-001] Open Web Analytics Pre-Auth SQL Injection (05.05.2014)
 documentiedb.team_(at)_gmail.com, phpMyBackupPro-2.4 Cross-Site Scripting vulnerability (05.05.2014)
 documentEric Flokstra, [CVE-2014-2035] XSS in InterWorx Web Control Panel <= 5.0.12 (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:046 ] phpmyadmin (05.05.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-1223 - Cross-site Scripting in Telligent Evolution (05.05.2014)
 documentDEBIAN, [SECURITY] [DSA 2867-1] otrs2 security update (05.05.2014)
 documentl0om, Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher) (05.05.2014)
 documentlarry0_(at)_me.com, Persistent XSS in Media File Renamer V1.7.0 wordpress plugin (05.05.2014)
 documentPivotal Security Team, Update: CVE-2014-0053 Information Disclosure when using Grails (05.05.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-1216 - Remote Command Execution in Fitnesse Wiki (05.05.2014)
 documentiedb.team_(at)_gmail.com, WordPress thecotton Themes Remote File Upload Vulnerability (05.05.2014)
 documentChristian Catalano, [CVE-2013-6231] Remote Privilege Escalation in SpagoBI v4.0 (05.05.2014)
 documentChristian Catalano, [CVE-2013-6232] Persistent Cross-Site Scripting (XSS) in SpagoBI v4.0 (05.05.2014)
 documentChristian Catalano, [CVE-2013-6233] Persistent HTML Script Insertion permits offsite-bound forms in SpagoBI v4.0 (05.05.2014)
 documentChristian Catalano, [CVE-2013-6234] XSS File Upload in SpagoBI v4.0 (05.05.2014)
 documentBartlomiej Balcerek, JOIDS (Java OpenID Server) multiple vulnerabilities (05.05.2014)
 documentcontact_(at)_httpcs.com, [HTTPCS] ClanSphere 'where' Cross Site Scripting Vulnerability (05.05.2014)
 documentAlkeraithe_(at)_gmail.com, E-Store (1.0 & 2.0) <= SQL Injection Vulnerability (05.05.2014)
 documentMichael Wisniewski, Synology DSM4 Blind SQL Injection (05.05.2014)
 documentPivotal Security Team, CVE-2014-1222 - Local File Inclusion in Vtiger CRM (05.05.2014)
 documentPivotal Security Team, CVE-2014-2043 - SQL Injection in Procentia IntelliPen (05.05.2014)
 documentPivotal Security Team, CVE-2014-0054 Spring MVC Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE) (05.05.2014)
 documentPivotal Security Team, CVE-2014-0097 Spring Security Blank password may bypass user authentication (05.05.2014)
 documentPivotal Security Team, CVE-2014-1904 XSS when using Spring MVC (05.05.2014)
 documentEric Flokstra, [CVE-2014-2531] SQL injection in InterWorx Web Control Panel <= 5.0.13 (05.05.2014)
 documentRedTeam Pentesting, [RT-SA-2014-002] rexx Recruitment: Cross-Site Scripting in User Registration (05.05.2014)
 documentDEBIAN, [SECURITY] [DSA 2889-1] postfixadmin security update (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:054 ] otrs (05.05.2014)
 documentcraig.arendt_(at)_stratumsecurity.com, Multiple Vulnerabilities in SeedDMS < = 4.3.3 (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:062 ] webmin (05.05.2014)
 documentDEBIAN, [SECURITY] [DSA 2882-1] extplorer security update (05.05.2014)
 documentDaniel C. Marques, CVE-2014-2570 - php-font-lib 0.3 www/make_subset.php Reflected Cross Site Scripting (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-004] nagios vulnerability (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-003] vulnerabilities in icinga (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-002] update140328 - vulnerabilities in check_mk (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:057 ] mediawiki (05.05.2014)
 documentWesley Henrique Leite, Vulnerability in PHPFox v3.7.3, v3.7.4 and v3.7.5 all build [ CVE-2013-7195, CVE-2013-7196 ] (05.05.2014)
 documenttudor.enache_(at)_helpag.com, Pearson eSIS Enterprise Student Information System SQL Injection (05.05.2014)
 documenttudor.enache_(at)_helpag.com, Pearson eSIS Enterprise Student Information System Stored XSS (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:072 ] php-ZendFramework (05.05.2014)
 documentmarduk369_(at)_gmail.com, Sendy 1.1.9.1 - SQL Injection Vulnerability (05.05.2014)
 documentVulnerability Lab, Woltlab Burning Board 3.9.1 pl1 - Persistent Web Vulnerability & Editor Reverse Encoding Issue (05.05.2014)

Многочисленные уязвимости безопасности в Chromium / Google Chrome
дополнено с 5 мая 2014 г.
Опубликовано:9 июня 2014 г.
Источник:
SecurityVulns ID:13748
Тип:клиент
Уровень опасности:
7/10
Описание:Обход защиты, использование памяти после освобождения, повреждения памяти, целочисленные переполнения.
Затронутые продукты:GOOGLE : Chrome 34.0
 CHROMIUM : Chromium 34.0
CVE:CVE-2014-3152 (Integer underflow in the LCodeGen::PrepareKeyedOperand function in arm/lithium-codegen-arm.cc in Google V8 before 3.25.28.16, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a negative key value.)
 CVE-2014-1749 (Multiple unspecified vulnerabilities in Google Chrome before 35.0.1916.114 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2014-1748 (The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame.)
 CVE-2014-1747 (Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to inject arbitrary web script or HTML via crafted MHTML content, aka "Universal XSS (UXSS).")
 CVE-2014-1746 (The InMemoryUrlProtocol::Read function in media/filters/in_memory_url_protocol.cc in Google Chrome before 35.0.1916.114 relies on an insufficiently large integer data type, which allows remote attackers to cause a denial of service (out-of-bounds read) via vectors that trigger use of a large buffer.)
 CVE-2014-1745 (Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger removal of an SVGFontFaceElement object, related to core/svg/SVGFontFaceElement.cpp.)
 CVE-2014-1744 (Integer overflow in the AudioInputRendererHost::OnCreateStream function in content/browser/renderer_host/media/audio_input_renderer_host.cc in Google Chrome before 35.0.1916.114 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a large shared-memory allocation.)
 CVE-2014-1743 (Use-after-free vulnerability in the StyleElement::removedFromDocument function in core/dom/StyleElement.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code that triggers tree mutation.)
 CVE-2014-1742 (Use-after-free vulnerability in the FrameSelection::updateAppearance function in core/editing/FrameSelection.cpp in Blink, as used in Google Chrome before 34.0.1847.137, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper RenderObject handling.)
 CVE-2014-1741 (Multiple integer overflows in the replace-data functionality in the CharacterData interface implementation in core/dom/CharacterData.cpp in Blink, as used in Google Chrome before 34.0.1847.137, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to ranges.)
 CVE-2014-1740 (Multiple use-after-free vulnerabilities in net/websockets/websocket_job.cc in the WebSockets implementation in Google Chrome before 34.0.1847.137 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to WebSocketJob deletion.)
 CVE-2014-1736 (Integer overflow in api.cc in Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value.)
 CVE-2014-1735 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2014-1734 (Multiple unspecified vulnerabilities in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2014-1733 (The PointerCompare function in codegen.cc in Seccomp-BPF, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly merge blocks, which might allow remote attackers to bypass intended sandbox restrictions by leveraging renderer access.)
 CVE-2014-1732 (Use-after-free vulnerability in browser/ui/views/speech_recognition_bubble_views.cc in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact via an INPUT element that triggers the presence of a Speech Recognition Bubble window for an incorrect duration.)
 CVE-2014-1731 (core/html/HTMLSelectElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly check renderer state upon a focus event, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion" for SELECT elements.)
 CVE-2014-1730 (Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly store internationalization metadata, which allows remote attackers to bypass intended access restrictions by leveraging "type confusion" and reading property values, related to i18n.js and runtime.cc.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2939-1] chromium-browser security update (09.06.2014)
 documentDEBIAN, [SECURITY] [DSA 2930-1] chromium-browser security update (30.05.2014)
 documentDEBIAN, [SECURITY] [DSA 2920-1] chromium-browser security update (05.05.2014)

DoS против VMWare Workstation / Player
дополнено с 5 мая 2014 г.
Опубликовано:10 ноября 2014 г.
Источник:
SecurityVulns ID:13731
Тип:локальная
Уровень опасности:
5/10
Описание:Обращение к неинициализированной памяти при обработке IOCTL.
Затронутые продукты:VMWARE : VMware Workstation 10.0
 VMWARE : VMware Player 6.0
CVE:CVE-2014-2384 (vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player 6.0.1 build 1379776 on Windows might allow local users to cause a denial of service (read access violation and system crash) via a crafted buffer in an IOCTL call. NOTE: the researcher reports "Vendor rated issue as non-exploitable.")
Оригинальный текстdocumentdisclosures_(at)_korelogic.com, KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read (10.11.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-2384 - Invalid Pointer Dereference in VMware Workstation and Player (05.05.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород