CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-2671 119 1 DoS Overflow Mem. Corr. 2014-03-31 2014-04-14
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft Windows Media Player (WMP) 11.0.5721.5230 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted WAV file.
2 CVE-2014-2670 79 XSS 2014-03-29 2014-03-31
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344.
3 CVE-2014-2669 189 Overflow 2014-03-31 2014-05-20
6.5
None Remote Low Single system Partial Partial Partial
Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.
4 CVE-2014-2668 20 1 DoS 2014-03-28 2014-04-19
5.0
None Remote Low Not required None None Partial
Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via the count parameter to /_uuids.
5 CVE-2014-2653 20 2014-03-27 2014-06-26
5.8
None Remote Medium Not required Partial Partial None
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
6 CVE-2014-2599 20 DoS 2014-03-28 2014-03-31
4.9
None Local Low Not required None None Complete
The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest administrators to cause a denial of service (CPU consumption) by leveraging access to certain service domains for HVM guests and a large input.
7 CVE-2014-2589 79 XSS 2014-03-24 2014-03-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Dashboard Backend service (stats/dashboard.jsp) in SonicWall Network Security Appliance (NSA) 2400 allows remote attackers to inject arbitrary web script or HTML via the sn parameter.
8 CVE-2014-2588 22 1 Dir. Trav. 2014-03-24 2014-04-01
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in servlet/downloadReport in McAfee Asset Manager 6.6 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the reportFileName parameter.
9 CVE-2014-2587 89 1 Exec Code Sql 2014-03-24 2014-04-01
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in jsp/reports/ReportsAudit.jsp in McAfee Asset Manager 6.6 allows remote authenticated users to execute arbitrary SQL commands via the username of an audit report (aka user parameter).
10 CVE-2014-2586 79 1 XSS 2014-03-24 2014-03-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the login audit form in McAfee Cloud Single Sign On (SSO) allows remote attackers to inject arbitrary web script or HTML via a crafted password.
11 CVE-2014-2585 20 2014-03-24 2014-03-24
4.9
None Remote Medium Single system Partial Partial None
ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration.
12 CVE-2014-2573 264 DoS Bypass 2014-03-25 2014-03-26
2.3
None Local Network Medium Single system None None Partial
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image.
13 CVE-2014-2572 264 2014-03-24 2014-03-24
4.0
None Remote Low Single system None Partial None
mod/assign/externallib.php in Moodle 2.6.x before 2.6.2 does not properly handle assignment web-service parameters, which might allow remote authenticated users to modify grade metadata via unspecified vectors.
14 CVE-2014-2571 79 XSS 2014-03-24 2014-03-24
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question.
15 CVE-2014-2568 399 +Info 2014-03-24 2014-07-17
2.9
None Local Network Medium Not required Partial None None
Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced.
16 CVE-2014-2567 200 +Info 2014-03-21 2014-03-25
4.3
None Remote Medium Not required None Partial None
The OpenConnectionTask::handleStateHelper function in Imap/Tasks/OpenConnectionTask.cpp in Trojita before 0.4.1 allows man-in-the-middle attackers to trigger use of cleartext for saving a message into a (1) sent or (2) draft folder via a PREAUTH response that prevents later use of the STARTTLS command.
17 CVE-2014-2538 79 XSS 2014-03-25 2014-04-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.
18 CVE-2014-2537 399 DoS 2014-03-18 2014-04-01
7.8
None Remote Low Not required None None Complete
Memory leak in the TCP stack in the kernel in Sophos UTM before 9.109 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors.
19 CVE-2014-2536 22 Dir. Trav. 2014-03-18 2014-04-01
4.3
None Remote Medium Not required Partial None None
Directory traversal vulnerability in McAfee Cloud Identity Manager 3.0, 3.1, and 3.5.1, McAfee Cloud Single Sign On (MCSSO) before 4.0.1, and Intel Expressway Cloud Access 360-SSO 2.1 and 2.5 allows remote authenticated users to read an unspecified file containing a hash of the administrator password via unknown vectors.
20 CVE-2014-2535 22 Dir. Trav. 2014-03-18 2014-04-01
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in McAfee Web Gateway (MWG) 7.4.x before 7.4.1, 7.3.x before 7.3.2.6, and 7.2.0.9 and earlier allows remote authenticated users to read arbitrary files via a crafted request to the web filtering port.
21 CVE-2014-2534 264 1 +Info 2014-03-18 2014-04-01
4.9
None Local Low Not required Complete None None
/sbin/pppoectl in BlackBerry QNX Neutrino RTOS 6.4.x and 6.5.x allows local users to obtain sensitive information by reading "bad parameter" lines in error messages, as demonstrated by reading the root password hash in /etc/shadow.
22 CVE-2014-2533 264 1 +Priv 2014-03-18 2014-04-01
7.2
None Local Low Not required Complete Complete Complete
/sbin/ifwatchd in BlackBerry QNX Neutrino RTOS 6.4.x and 6.5.x allows local users to gain privileges by providing an arbitrary program name as a command-line argument.
23 CVE-2014-2532 264 Bypass 2014-03-18 2014-06-26
5.8
None Remote Medium Not required Partial Partial None
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
24 CVE-2014-2526 79 XSS 2014-03-25 2014-03-26
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive before 6.7 allow remote attackers to inject arbitrary web script or HTML via the (1) sForumName or (2) sDescription parameter to Forum/manage/ForumManager.lsp; (3) sHint, (4) sWord, or (5) nId parameter to Forum/manage/hangman.lsp; (6) user parameter to rtl/protected/admin/wizard/setuser.lsp; (7) name or (8) email parameter to feedback.lsp; (9) lname or (10) url parameter to private/manage/PageManager.lsp; (11) cmd parameter to fs; (12) newname, (13) description, (14) firstname, (15) lastname, or (16) id parameter to rtl/protected/mail/manage/list.lsp; or (17) PATH_INFO to fs/.
25 CVE-2014-2525 119 Exec Code Overflow 2014-03-28 2014-04-24
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.
26 CVE-2014-2523 20 DoS Exec Code 2014-03-24 2014-04-01
10.0
None Remote Low Not required Complete Complete Complete
net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.
27 CVE-2014-2497 399 DoS 2014-03-21 2014-07-17
4.3
None Remote Medium Not required None None Partial
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
28 CVE-2014-2386 189 DoS Overflow 2014-03-25 2014-03-25
5.0
None Remote Low Not required None None Partial
Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2) print_export_link, (3) page_num_selector, or (4) page_limit_selector function in cgi/cgiutils.c or (5) status_page_num_selector function in cgi/status.c, which triggers a stack-based buffer overflow.
29 CVE-2014-2339 89 Exec Code Sql 2014-03-19 2014-03-20
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in bbs/ajax.autosave.php in GNUboard 5.x and possibly earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) subject or (2) content parameter.
30 CVE-2014-2326 79 XSS 2014-03-27 2014-07-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
31 CVE-2014-2325 79 XSS 2014-03-14 2014-03-25
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Gateway before 3.1-5829 allow remote attackers to inject arbitrary web script or HTML via the (1) state parameter to objects/who/index.htm or (2) User email address to quarantine/spam/manage.htm.
32 CVE-2014-2324 22 Dir. Trav. 2014-03-14 2014-04-19
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.
33 CVE-2014-2323 89 Exec Code Sql 2014-03-14 2014-04-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
34 CVE-2014-2321 264 2014-03-11 2014-03-11
10.0
None Remote Low Not required Complete Complete Complete
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
35 CVE-2014-2319 310 +Info 2014-03-14 2014-03-14
5.0
None Remote Low Not required Partial None None
The Encrypt Files feature in ConeXware PowerArchiver before 14.02.05 uses legacy ZIP encryption even if the AES 256-bit selection is chosen, which makes it easier for context-dependent attackers to obtain sensitive information via a known-plaintext attack.
36 CVE-2014-2318 89 Exec Code Sql 2014-03-11 2014-03-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ATCOM Netvolution 3 allows remote attackers to execute arbitrary SQL commands via the m parameter.
37 CVE-2014-2317 89 Exec Code Sql 2014-03-09 2014-03-10
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7.2 allows remote attackers to execute arbitrary SQL commands via the table parameter. NOTE: some of these details are obtained from third party information.
38 CVE-2014-2316 89 Exec Code Sql 2014-03-09 2014-03-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in se_search_default in the Search Everything plugin before 7.0.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the s parameter to index.php. NOTE: some of these details are obtained from third party information.
39 CVE-2014-2315 79 XSS 2014-03-09 2014-03-10
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Thank You Counter Button plugin 1.8.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) thanks_caption, (2) thanks_caption_style, or (3) thanks_style parameter to wp-admin/options.php.
40 CVE-2014-2314 22 Dir. Trav. 2014-03-09 2014-03-10
4.3
None Remote Medium Not required None Partial None
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors.
41 CVE-2014-2313 22 Dir. Trav. 2014-03-09 2014-03-10
4.3
None Remote Medium Not required None Partial None
Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors.
42 CVE-2014-2311 89 Exec Code Sql 2014-03-11 2014-03-12
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 before 2.2.13 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
43 CVE-2014-2309 189 DoS 2014-03-11 2014-06-21
6.1
None Local Network Low Not required None None Complete
The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.
44 CVE-2014-2299 119 1 DoS Exec Code Overflow 2014-03-11 2014-05-10
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.
45 CVE-2014-2292 +Priv 2014-03-14 2014-03-17
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in the Linux Network Connect client in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r18, 7.3 before 7.3r10, 7.4 before 7.4r8, and 8.0 before 8.0r1 allows local users to gain privileges via unspecified vectors.
46 CVE-2014-2291 79 XSS 2014-03-14 2014-04-01
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Pulse Collaboration (Secure Meeting) user pages in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r18, 7.3 before 7.3r10, 7.4 before 7.4r8, and 8.0 before 8.0r1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
47 CVE-2014-2284 20 DoS 2014-03-24 2014-09-13
5.0
None Remote Low Not required None None Partial
The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate input, which allows remote attackers to cause a denial of service via unspecified vectors.
48 CVE-2014-2283 119 DoS Overflow 2014-03-11 2014-04-19
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-rlc in the RLC dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 uses inconsistent memory-management approaches, which allows remote attackers to cause a denial of service (use-after-free error and application crash) via a crafted UMTS Radio Link Control packet.
49 CVE-2014-2282 119 DoS Overflow 2014-03-11 2014-04-01
4.3
None Remote Medium Not required None None Partial
The dissect_protocol_data_parameter function in epan/dissectors/packet-m3ua.c in the M3UA dissector in Wireshark 1.10.x before 1.10.6 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted SS7 MTP3 packet.
50 CVE-2014-2281 20 DoS Mem. Corr. 2014-03-11 2014-04-19
4.3
None Remote Medium Not required None None Partial
The nfs_name_snoop_add_name function in epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 does not validate a certain length value, which allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted NFS packet.
Total number of vulnerabilities : 538   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.