cat52
tower2
cat51
tower5
wifi3
tower1
tower4
wifi2
wifi1
tower3
Security and Firewalls PDF Print E-mail
Written by Administrator   
Tuesday, April 26 2011 09:15

In today's internet, intrusion dectection is a must to ensure data reliablity for all parties. Nexus offers a state-of-the-art security solution to combat unauthorized access to your network. Firewalls are monitored contantly 24x7 by a trained staff with failsafe backup servers at every turn. Whether wirleline or wireless, Nexus has the manpower and resourses to protect your data.

 

Last Updated on Wednesday, March 27 2013 08:26
 

CERT Cyber Security Bulletins

US-CERT Bulletins
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
  • SB14-349: Vulnerability Summary for the Week of December 8, 2014
    Original release date: December 15, 2014

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    3s_pocketnet_tech -- 3s_pocketnet_tech_video_management_softwareMultiple buffer overflows in the PocketNetNVRMediaClientAxCtrl.NVRMediaViewer.1 control in 3S Pocketnet Tech VMS allow remote attackers to execute arbitrary code via a crafted string to the (1) StartRecord, (2) StartRecordEx, (3) StartScheduledRecord, (4) SetDisplayText, (5) GetONVIFDeviceInformation, (6) GetONVIFProfiles, or (7) GetONVIFStreamUri method or a crafted filename to the (8) SaveCurrentImage or (9) SaveCurrentImageEx method.2014-12-087.5CVE-2014-9263
    MISC
    MISC
    MISC
    MISC
    MISC
    BID
    adobe -- flash_playerAdobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows remote attackers to bypass the Same Origin Policy via unspecified vectors.2014-12-1010.0CVE-2014-0580
    adobe -- flash_playerAdobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-9164.2014-12-1010.0CVE-2014-0587
    adobe -- flash_playerUse-after-free vulnerability in Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors.2014-12-1010.0CVE-2014-8443
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158.2014-12-1010.0CVE-2014-8445
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158.2014-12-1010.0CVE-2014-8446
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158.2014-12-1010.0CVE-2014-8447
    adobe -- acrobatInteger overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors.2014-12-1010.0CVE-2014-8449
    adobe -- acrobatUse-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8455 and CVE-2014-9165.2014-12-1010.0CVE-2014-8454
    adobe -- acrobatUse-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8454 and CVE-2014-9165.2014-12-1010.0CVE-2014-8455
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158.2014-12-1010.0CVE-2014-8456
    adobe -- acrobatHeap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8460 and CVE-2014-9159.2014-12-1010.0CVE-2014-8457
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8459, CVE-2014-8461, and CVE-2014-9158.2014-12-1010.0CVE-2014-8458
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8461, and CVE-2014-9158.2014-12-1010.0CVE-2014-8459
    adobe -- acrobatHeap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8457 and CVE-2014-9159.2014-12-1010.0CVE-2014-8460
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, and CVE-2014-9158.2014-12-1010.0CVE-2014-8461
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, and CVE-2014-8461.2014-12-1010.0CVE-2014-9158
    adobe -- acrobatHeap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8457 and CVE-2014-8460.2014-12-1010.0CVE-2014-9159
    adobe -- flash_playerStack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014.2014-12-1010.0CVE-2014-9163
    adobe -- flash_playerAdobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0587.2014-12-1010.0CVE-2014-9164
    adobe -- acrobatUse-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8454 and CVE-2014-8455.2014-12-1010.0CVE-2014-9165
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-107.5CVE-2014-4466
    cisco -- unified_computing_system_central_softwareCisco Integrated Management Controller in Cisco Unified Computing System 2.2(2c)A and earlier allows local users to obtain shell access via a crafted map-nfs command, aka Bug ID CSCup05998.2014-12-107.2CVE-2014-8003
    digicom -- dg-5514t_adsl_router_firmwareDigicom DG-5514T ADSL router with firmware 3.2 generates predictable session IDs, which allows remote attackers to gain administrator privileges via a brute force session hijacking attack.2014-12-0910.0CVE-2014-8496
    MISC
    emc -- documentum_content_serverEMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference.2014-12-069.0CVE-2014-4629
    XF
    SECTRACK
    BID
    BUGTRAQ
    MISC
    emerson -- dl_8000_remote_terminal_unitEmerson Process Management ROC800 RTU with software 3.50 and earlier, DL8000 RTU with software 2.30 and earlier, and ROC800L RTU with software 1.20 and earlier allows remote attackers to execute arbitrary commands via a TCP replay attack.2014-12-0810.0CVE-2013-2810
    XF
    BID
    entrypass -- n5200_active_network_control_panelEntryPass N5200 Active Network Control Panel does not properly restrict access, which allows remote attackers to obtain the administrator username and password, and possibly other sensitive information, via a request to /4.2014-12-077.8CVE-2014-8868
    MISC
    BUGTRAQ
    FULLDISC
    entrypass -- n5200_active_network_control_panelEntryPass N5200 Active Network Control Panel allows remote attackers to read device memory and obtain the administrator username and password via a URL starting with an ASCII character o through z or A through D, different vectors than CVE-2014-8868.2014-12-077.8CVE-2014-9303
    MISC
    BUGTRAQ
    FULLDISC
    erlang -- erlang/otpMultiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.2014-12-087.5CVE-2014-1693
    CONFIRM
    MLIST
    FEDORA
    ffmpeg -- ffmpegThe mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via vectors related to LJIF tags in an MJPEG file.2014-12-097.5CVE-2014-9316
    CONFIRM
    CONFIRM
    ffmpeg -- ffmpegThe decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via an IDAT before an IHDR in a PNG file.2014-12-097.5CVE-2014-9317
    CONFIRM
    ffmpeg -- ffmpegThe raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via a crafted .cine file that triggers the avpicture_get_size function to return a negative frame size.2014-12-097.5CVE-2014-9318
    CONFIRM
    fujitsu -- arrows_kiss_f-03dFUJITSU F-12C, ARROWS Tab LTE F-01D, ARROWS Kiss F-03D, and REGZA Phone T-01D for Android allows local users to execute arbitrary commands via unspecified vectors.2014-12-057.2CVE-2014-7253
    gnu -- binutilsThe setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.2014-12-097.5CVE-2014-8485
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    FEDORA
    FEDORA
    FEDORA
    MISC
    gnu -- binutilsThe _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.2014-12-097.5CVE-2014-8501
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    FEDORA
    FEDORA
    FEDORA
    gnu -- binutilsHeap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.2014-12-097.5CVE-2014-8502
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    FEDORA
    FEDORA
    FEDORA
    gnu -- binutilsStack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.2014-12-097.5CVE-2014-8503
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    FEDORA
    FEDORA
    FEDORA
    gnu -- binutilsStack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.2014-12-097.5CVE-2014-8504
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    MLIST
    FEDORA
    FEDORA
    FEDORA
    guruperl -- advertise_with_pleasure!SQL injection vulnerability in Guruperl.net Advertise With Pleasure! Professional (aka AWP PRO) 6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a list_zone action to cgi/client.cgi.2014-12-087.5CVE-2014-9345
    EXPLOIT-DB
    MISC
    OSVDB
    hikvision -- dvr_ds-7204_firmwareBuffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header.2014-12-087.5CVE-2014-4880
    EXPLOIT-DB
    MISC
    hp -- hp-uxHP HP-UX B.11.11, B.11.23, and B.11.31, when the PAM configuration includes libpam_updbe, allows remote authenticated users to bypass authentication, and consequently execute arbitrary code, via unspecified vectors.2014-12-108.5CVE-2014-7879
    ibm -- tivoli_endpoint_manager_mobile_device_managementIBM Tivoli Endpoint Manager Mobile Device Management (MDM) before 9.0.60100 uses the same secret HMAC token across different customers' installations, which allows remote attackers to execute arbitrary code via crafted marshalled Ruby objects in cookies to (1) Enrollment and Apple iOS Management Extender, (2) Self-service portal, (3) Trusted Services provider, or (4) Admin Portal.2014-12-069.3CVE-2014-6140
    MISC
    SECTRACK
    BID
    BUGTRAQ
    FULLDISC
    MISC
    iij -- seil_plusThe (1) PPP Access Concentrator (PPPAC) and (2) Dial-Up Networking Internet Initiative Japan Inc. SEIL series routers SEIL/x86 Fuji 1.00 through 3.22; SEIL/X1, SEIL/X2, and SEIL/B1 1.00 through 4.62; SEIL/Turbo 1.82 through 2.18; and SEIL/neu 2FE Plus 1.82 through 2.18 allow remote attackers to cause a denial of service (restart) via crafted (a) GRE or (b) MPPE packets.2014-12-057.8CVE-2014-7256
    JVNDB
    JVN
    isc -- bindISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and named crash) via a large or infinite number of referrals.2014-12-107.8CVE-2014-8500
    CERT-VN
    BID
    SECTRACK
    MISC
    jasper_project -- jasperMultiple off-by-one errors in the (1) jpc_dec_cp_setfromcox and (2) jpc_dec_cp_setfromrgn functions in jpc/jpc_dec.c in JasPer 1.900.1 and earlier allow remote attackers to execute arbitrary code via a crafted jp2 file, which triggers a heap-based buffer overflow.2014-12-087.5CVE-2014-9029
    MISC
    CONFIRM
    XF
    UBUNTU
    UBUNTU
    BID
    BUGTRAQ
    MLIST
    DEBIAN
    MISC
    joyent -- node.jsEval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file.2014-12-1110.0CVE-2014-7192
    CONFIRM
    XF
    CONFIRM
    kde -- kde-workspaceThe KDE Clock KCM policykit helper in kde-workspace before 4.11.14 and plasma-desktop before 5.1.1 allows local users to gain privileges via a crafted ntpUtility (ntp utility name) argument.2014-12-067.2CVE-2014-8651
    UBUNTU
    BID
    MLIST
    MLIST
    FEDORA
    FEDORA
    FEDORA
    linux -- linux_kernelThe mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application.2014-12-127.5CVE-2014-4323
    mantisbt -- mantisbtThe current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.2014-12-087.5CVE-2014-9280
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6329 and CVE-2014-6376.2014-12-109.3CVE-2014-6327
    microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6376.2014-12-109.3CVE-2014-6329
    microsoft -- internet_explorerMicrosoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-12-109.3CVE-2014-6330
    microsoft -- office_compatibility_packArray index error in Microsoft Word 2007 SP3, Word 2010 SP2, and Office Compatibility Pack SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Invalid Index Remote Code Execution Vulnerability."2014-12-109.3CVE-2014-6356
    microsoft -- officeUse-after-free vulnerability in Microsoft Office 2010 SP2, Office 2013 Gold and SP1, Office 2013 RT Gold and SP1, Office for Mac 2011, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 Gold and SP1, and Office Web Apps 2010 SP2 and 2013 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Use After Free Word Remote Code Execution Vulnerability."2014-12-109.3CVE-2014-6357
    microsoft -- excelMicrosoft Excel 2007 SP3, Excel 2010 SP2, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Global Free Remote Code Execution in Excel Vulnerability."2014-12-109.3CVE-2014-6360
    microsoft -- excelMicrosoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 Gold and SP1, Excel 2013 RT Gold and SP1, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Excel Invalid Pointer Remote Code Execution Vulnerability."2014-12-109.3CVE-2014-6361
    microsoft -- internet_explorervbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 6 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability."2014-12-109.3CVE-2014-6363
    microsoft -- officeUse-after-free vulnerability in Microsoft Office 2007 SP3; 2010 SP2; 2013 Gold, SP1, and SP2; and 2013 RT Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability."2014-12-109.3CVE-2014-6364
    microsoft -- internet_explorerMicrosoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-12-109.3CVE-2014-6366
    microsoft -- internet_explorerMicrosoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-12-109.3CVE-2014-6369
    microsoft -- internet_explorerMicrosoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-12-109.3CVE-2014-6373
    microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-12-109.3CVE-2014-6374
    microsoft -- internet_explorerMicrosoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-12-109.3CVE-2014-6375
    microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6329.2014-12-109.3CVE-2014-6376
    microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2014-12-109.3CVE-2014-8966
    nvidia -- gpu_driverThe NVIDIA Linux Discrete GPU drivers before R304.125, R331.x before R331.113, R340.x before R340.65, R343.x before R343.36, and R346.x before R346.22, Lixux for Tegra (L4T) driver before R21.2, and Chrome OS driver before R40 allows remote attackers to cause a denial of service (segmentation fault and X server crash) or possibly execute arbitrary code via a crafted GLX indirect rendering protocol request.2014-12-107.5CVE-2014-8298
    phpmyrecipes_project -- phpmyrecipesSQL injection vulnerability in dosearch.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the words_exact parameter.2014-12-087.5CVE-2014-9347
    XF
    EXPLOIT-DB
    OSVDB
    plex -- plex_media_serverPlex Media Server before 0.9.9.3 allows remote attackers to bypass the web server whitelist, conduct SSRF attacks, and execute arbitrary administrative actions via multiple crafted X-Plex-Url headers to system/proxy, which are inconsistently processed by the request handler in the backend web server.2014-12-077.5CVE-2014-9304
    MISC
    BUGTRAQ
    robotstats -- robotstatsSQL injection vulnerability in the formulaireRobot function in admin/robots.lib.php in RobotStats 1.0 allows remote attackers to execute arbitrary SQL commands via the robot parameter to admin/robots.php.2014-12-087.5CVE-2014-9348
    XF
    EXPLOIT-DB
    MISC
    samsung -- smart_viewerThe STWConfig ActiveX control in Samsung SmartViewer does not properly initialize a variable, which allows remote attackers to execute arbitrary code via unspecified vectors.2014-12-087.5CVE-2014-9266
    MISC
    BID
    sap -- sql_anywhereStack-based buffer overflow in the .NET Data Provider in SAP SQL Anywhere allows remote attackers to execute arbitrary code via a crafted column alias.2014-12-117.5CVE-2014-9264
    MISC
    MISC
    MISC
    MISC
    ultrapop -- i-httpdThe Server Side Includes (SSI) implementation in the File Upload BBS component in ULTRAPOP.JP i-HTTPD allows remote attackers to execute arbitrary commands by uploading files containing commands in SSI directives.2014-12-117.5CVE-2014-7260
    unrtf_project -- unrtfUnRTF allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code as demonstrated by a file containing the string "{\cb-999999999".2014-12-097.5CVE-2014-9274
    CONFIRM
    MLIST
    unrtf_project -- unrtfUnRTF allows remote attackers to cause a denial of service (out-of-bounds memory access and crash) and possibly execute arbitrary code via a crafted RTF file.2014-12-097.5CVE-2014-9275
    CONFIRM
    MLIST
    MLIST
    vmware -- vcloud_automation_centerThe VMware Remote Console (VMRC) function in VMware vCloud Automation Center (vCAC) 6.0.1 through 6.1.1 allows remote authenticated users to gain privileges via vectors involving the "Connect (by) Using VMRC" function.2014-12-119.0CVE-2014-8373
    SECTRACK
    BUGTRAQ
    SECUNIA
    FULLDISC
    MISC
    zohocorp -- manageengine_it360Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.2014-12-107.5CVE-2014-7866
    CONFIRM
    MISC
    FULLDISC
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    adobe -- acrobatAn unspecified JavaScript API in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2014-8451.2014-12-105.0CVE-2014-8448
    adobe -- acrobatAn unspecified JavaScript API in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2014-8448.2014-12-105.0CVE-2014-8451
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2014-12-105.0CVE-2014-8452
    adobe -- acrobatAdobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to bypass the Same Origin Policy via unspecified vectors.2014-12-105.0CVE-2014-8453
    adobe -- flash_playerAdobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors.2014-12-105.0CVE-2014-9162
    adobe -- coldfusionAdobe ColdFusion 10 before Update 15 and 11 before Update 3 allows attackers to cause a denial of service (resource consumption) via unspecified vectors.2014-12-105.0CVE-2014-9166
    alfresco -- community_editionCross-site request forgery (CSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition before 5.0.a allows remote attackers to hijack the authentication of users for requests that access unauthorized URLs and obtain user credentials via a URL in the url parameter.2014-12-076.8CVE-2014-9300
    MISC
    BUGTRAQ
    alfresco -- community_editionServer-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.2014-12-076.4CVE-2014-9301
    MISC
    BUGTRAQ
    alfresco -- community_editionServer-side request forgery (SSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition 5.0.a and earlier allows remote attackers to trigger outbound requests via a crafted URI in the url parameter.2014-12-075.0CVE-2014-9302
    MISC
    BUGTRAQ
    apache -- cloudstackApache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind.2014-12-105.0CVE-2014-7807
    BUGTRAQ
    apache -- strutsApache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.2014-12-106.8CVE-2014-7809
    SECTRACK
    BUGTRAQ
    MISC
    apple -- safariWebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1 allows remote attackers to bypass the Same Origin Policy via crafted Cascading Style Sheets (CSS) token sequences within an SVG file in the SRC attribute of an IMG element.2014-12-105.0CVE-2014-4465
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4468
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4469
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4470
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4471
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4472
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4473
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4474
    apple -- safariWebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-12-2-1.2014-12-106.8CVE-2014-4475
    autodesk -- design_review_2013The AdView.AdViewer.1 ActiveX control in Autodesk Design Review (ADR) before 2013 Hotfix 1 allows remote attackers to execute arbitrary code via a crafted DWF file.2014-12-086.8CVE-2014-9268
    MISC
    bmc -- bmc_track-it!BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset.2014-12-125.0CVE-2014-8270
    MISC
    CONFIRM
    bsd -- bsdThe TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly 2.0, and OpenBSD possibly 3.6, does not properly implement the session timer, which allows remote attackers to cause a denial of service (resource consumption) via crafted packets.2014-12-115.0CVE-2014-7250
    MISC
    cisco -- unified_computing_system_central_softwareThe Management subsystem in Cisco Unified Computing System 2.1(3f) and earlier allows remote attackers to obtain sensitive information by reading log files, aka Bug ID CSCur99239.2014-12-105.0CVE-2014-8009
    cisco -- unified_communications_domain_managerThe web framework in Cisco Unified Communications Domain Manager 8 allows remote authenticated administrators to execute arbitrary OS commands via crafted values, aka Bug ID CSCuq50205.2014-12-104.6CVE-2014-8010
    debian -- hivexlib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary code and gain privileges via a small hive files, which triggers an out-of-bounds read or write.2014-12-084.6CVE-2014-9273
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    elipse -- e3DNP Master Driver 3.02 and earlier in Elipse SCADA 2.29 build 141 and earlier, E3 1.0 through 4.6, and Elipse Power 1.0 through 4.6 allows remote attackers to cause a denial of service (CPU consumption) via malformed packets.2014-12-065.0CVE-2014-5429
    MISC
    emc -- rsa_adaptive_authentication_on-premiseRSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when using device binding in a Challenge SOAP call or using the RSA Adaptive Authentication Integration Adapters with Out-of-Band Phone (Authentify) functionality, conducts permanent device binding even when authentication fails, which allows remote attackers to bypass authentication.2014-12-085.0CVE-2014-4631
    XF
    SECTRACK
    BID
    BUGTRAQ
    f5 -- arxThe SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.2014-12-094.3CVE-2014-8730
    MISC
    MLIST
    f5 -- big-ipCross-site scripting (XSS) vulnerability in the tree view (pl_tree.php) feature in Application Security Manager (ASM) in F5 BIG-IP 11.3.0 allows remote attackers to inject arbitrary web script or HTML by accessing a crafted URL during automatic policy generation.2014-12-084.3CVE-2014-9342
    BUGTRAQ
    ffmpeg -- ffmpegThe ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted .bit file.2014-12-095.0CVE-2014-9319
    CONFIRM
    fujitsu -- arrows_tab_lte_f-01dMultiple unspecified vulnerabilities in the Syslink driver for Texas Instruments OMAP mobile processor, as used on NTT DOCOMO ARROWS Tab LTE F-01D, ARROWS X LTE F-05D, Disney Mobile on docomo F-08D, REGZA Phone T-01D, and PRADA phone by LG L-02D; and SoftBank SHARP handsets 102SH allow local users to execute arbitrary code or read kernel memory via unknown vectors related to userland data and "improper data validation."2014-12-054.6CVE-2014-7252
    JVNDB
    JVN
    MISC
    MISC
    fujitsu -- arrows_me_f-11dUnspecified vulnerability in ARROWS Me F-11D allows physically proximate attackers to read or modify flash memory via unknown vectors.2014-12-054.6CVE-2014-7254
    JVNDB
    JVN
    MISC
    globiz_solutions -- snowfox_content_management_systemOpen redirect vulnerability in modules/system/controller/selectlanguage.class.php in Snowfox CMS 1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the rd parameter in a submit action to snowfox/.2014-12-085.8CVE-2014-9343
    MISC
    CONFIRM
    XF
    MISC
    MISC
    OSVDB
    globiz_solutions -- snowfox_content_management_systemCross-site request forgery (CSRF) vulnerability in Snowfox CMS before 1.0.10 allows remote attackers to hijack the authentication of administrators for requests that add a new admin account via a submit action in the admin/accounts/create uri to snowfox/.2014-12-086.8CVE-2014-9344
    XF
    MISC
    MISC
    OSVDB
    gnu -- binutilsThe srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.2014-12-095.0CVE-2014-8484
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    FEDORA
    FEDORA
    FEDORA
    ibm -- websphere_datapower_xc10_appliance_firmwareCross-site request forgery (CSRF) vulnerability on the IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-12-116.0CVE-2014-3058
    XF
    AIXAPAR
    ibm -- _ibm_rational_lifecycle_integration_adapter_for_windchillSession fixation vulnerability in IBM Rational Lifecycle Integration Adapter for Windchill 1.x before 1.0.1 allows remote attackers to hijack web sessions via unspecified vectors.2014-12-114.3CVE-2014-4815
    XF
    ibm -- operational_decision_managerThe Hosted Transparent Decision Service in the Rule Execution Server in IBM WebSphere ILOG JRules 7.1 before MP1 FP5 IF43; WebSphere Operational Decision Management 7.5 before FP3 IF41; and Operational Decision Manager 8.0 before MP1 FP2 IF34, 8.5 before MP1 FP1 IF43, and 8.6 before IF8 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2014-12-115.0CVE-2014-6114
    XF
    ibm -- websphere_datapower_xc10_appliance_firmwareThe IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows remote authenticated users to bypass intended grid-data access restrictions via unspecified vectors.2014-12-124.0CVE-2014-6138
    XF
    AIXAPAR
    icecast -- icecastIcecast before 2.4.0 does not change the supplementary group privileges when <changeowner> is configured, which allows local users to gain privileges via unspecified vectors.2014-12-104.6CVE-2014-9091
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    SUSE
    iij -- seil_b1_firmwareInternet Initiative Japan Inc. SEIL Series routers SEIL/X1 2.50 through 4.62, SEIL/X2 2.50 through 4.62, SEIL/B1 2.50 through 4.62, and SEIL/x86 Fuji 1.70 through 3.22 allow remote attackers to cause a denial of service (CPU and traffic consumption) via a large number of NTP requests within a short time, which causes unnecessary NTP responses to be sent.2014-12-055.0CVE-2014-7255
    JVNDB
    JVN
    isc -- bindThe GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and IPv6, or (2) IPv6 support with certain options.2014-12-105.4CVE-2014-8680
    jrss_widget_project -- jrss_widgetServer-side request forgery (SSRF) vulnerability in proxy.php in the jRSS Widget plugin 1.2 and earlier for WordPress allows remote attackers to trigger outbound requests and enumerate open ports via the url parameter.2014-12-055.8CVE-2014-9292
    MISC
    kde -- kde-runtimeMultiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.14.3 and earlier, kwebkitpart 1.3.4 and earlier, and kio-extras 5.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via a crafted URI using the (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar scheme, which is not properly handled in an error message.2014-12-084.3CVE-2014-8600
    MISC
    BID
    FULLDISC
    lg -- l-03eLG Electronics Mobile WiFi router L-09C, L-03E, and L-04D does not restrict access to the web administration interface, which allows remote attackers to obtain sensitive information via unspecified vectors.2014-12-055.0CVE-2014-7243
    JVNDB
    JVN
    MISC
    linpha -- linphaCross-site scripting (XSS) vulnerability in LinPHA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-12-124.3CVE-2014-7265
    linuxfoundation -- xencommon/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066.2014-12-094.4CVE-2014-9065
    MLIST
    linuxfoundation -- xenXen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read request, a different vulnerability than CVE-2014-9065.2014-12-094.7CVE-2014-9066
    MLIST
    logintoboggan_project -- logintobogganThe LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.2014-12-104.3CVE-2014-9361
    logintoboggan_project -- logintobogganCross-site scripting (XSS) vulnerability in the Unified Login form in the LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-12-104.3CVE-2014-9364
    mantisbt -- mantisbtcore/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.2014-12-125.8CVE-2014-6316
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    mantisbt -- mantisbtMantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.2014-12-065.0CVE-2014-9117
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    mantisbt -- mantisbtCross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field.2014-12-084.3CVE-2014-9270
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    mantisbt -- mantisbtThe print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.2014-12-085.0CVE-2014-9279
    XF
    BID
    MLIST
    mantisbt -- mantisbtCross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field.2014-12-094.3CVE-2014-9281
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    MLIST
    meta_tags_quick_project -- meta_tags_quickOpen redirect vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter.2014-12-105.5CVE-2014-9363
    microsoft -- exchange_serverOutlook Web App (OWA) in Microsoft Exchange Server 2007 SP3, 2010 SP3, and 2013 SP1 and Cumulative Update 6 does not properly validate tokens in requests, which allows remote attackers to spoof the origin of e-mail messages via unspecified vectors, aka "Outlook Web App Token Spoofing Vulnerability."2014-12-105.0CVE-2014-6319
    microsoft -- exchange_serverCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2013 SP1 and Cumulative Update 6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "OWA XSS Vulnerability," a different vulnerability than CVE-2014-6326.2014-12-104.3CVE-2014-6325
    microsoft -- exchange_serverCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2013 SP1 and Cumulative Update 6 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "OWA XSS Vulnerability," a different vulnerability than CVE-2014-6325.2014-12-104.3CVE-2014-6326
    microsoft -- internet_explorerMicrosoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6365.2014-12-105.0CVE-2014-6328
    microsoft -- windows_7The Graphics Component in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly process JPEG images, which makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Graphics Component Information Disclosure Vulnerability."2014-12-105.0CVE-2014-6355
    microsoft -- internet_explorerMicrosoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6328.2014-12-104.3CVE-2014-6365
    microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."2014-12-104.3CVE-2014-6368
    mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2014-12-116.8CVE-2014-1587
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2014-12-116.8CVE-2014-1588
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    mozilla -- firefoxMozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding.2014-12-116.8CVE-2014-1589
    CONFIRM
    mozilla -- firefoxThe XMLHttpRequest.prototype.send method in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to cause a denial of service (application crash) via a crafted JavaScript object.2014-12-114.3CVE-2014-1590
    CONFIRM
    mozilla -- firefoxMozilla Firefox 33.0 and SeaMonkey before 2.31 include path strings in CSP violation reports, which allows remote attackers to obtain sensitive information via a web site that receives a report after a redirect.2014-12-114.3CVE-2014-1591
    CONFIRM
    mozilla -- firefoxUse-after-free vulnerability in the nsHtml5TreeOperation function in xul.dll in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute arbitrary code by adding a second root element to an HTML5 document during parsing.2014-12-116.8CVE-2014-1592
    CONFIRM
    mozilla -- firefoxStack-based buffer overflow in the mozilla::FileBlockCache::Read function in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute arbitrary code via crafted media content.2014-12-116.8CVE-2014-1593
    CONFIRM
    mozilla -- firefoxMozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 might allow remote attackers to execute arbitrary code by leveraging an incorrect cast from the BasicThebesLayer data type to the BasicContainerLayer data type.2014-12-116.8CVE-2014-1594
    CONFIRM
    mozilla -- firefoxThe Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a call to an unspecified method.2014-12-114.3CVE-2014-8631
    CONFIRM
    mozilla -- firefoxThe structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object restrictions by leveraging property availability after XrayWrapper removal.2014-12-114.3CVE-2014-8632
    CONFIRM
    nginx -- nginxnginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.2014-12-084.3CVE-2014-3616
    nlnet_labs -- unbounditerator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.2014-12-104.3CVE-2014-8602
    CERT-VN
    MISC
    open-emr -- openemrMultiple SQL injection vulnerabilities in OpenEMR 4.1.2 (Patch 7) and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) layout_id parameter to interface/super/edit_layout.php; (2) form_patient_id, (3) form_drug_name, or (4) form_lot_number parameter to interface/reports/prescriptions_report.php; (5) payment_id parameter to interface/billing/edit_payment.php; (6) id parameter to interface/forms_admin/forms_admin.php; (7) form_pid or (8) form_encounter parameter to interface/billing/sl_eob_search.php; (9) sortby parameter to interface/logview/logview.php; form_facility parameter to (10) procedure_stats.php, (11) pending_followup.php, or (12) pending_orders.php in interface/orders/; (13) patient, (14) encounterid, (15) formid, or (16) issue parameter to interface/patient_file/deleter.php; (17) search_term parameter to interface/patient_file/encounter/coding_popup.php; (18) text parameter to interface/patient_file/encounter/search_code.php; (19) form_addr1, (20) form_addr2, (21) form_attn, (22) form_country, (23) form_freeb_type, (24) form_partner, (25) form_name, (26) form_zip, (27) form_state, (28) form_city, or (29) form_cms_id parameter to interface/practice/ins_search.php; (30) form_pid parameter to interface/patient_file/problem_encounter.php; (31) patient, (32) form_provider, (33) form_apptstatus, or (34) form_facility parameter to interface/reports/appointments_report.php; (35) db_id parameter to interface/patient_file/summary/demographics_save.php; (36) p parameter to interface/fax/fax_dispatch_newpid.php; or (37) patient_id parameter to interface/patient_file/reminder/patient_reminders.php.2014-12-086.5CVE-2014-5462
    MISC
    FULLDISC
    MISC
    openbsd -- opensshThe OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.2014-12-064.0CVE-2014-9278
    CONFIRM
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    MISC
    phpmyadmin -- phpmyadminlibraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password.2014-12-085.0CVE-2014-9218
    CONFIRM
    CONFIRM
    CONFIRM
    XF
    CONFIRM
    phpmyadmin -- phpmyadminCross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter.2014-12-084.3CVE-2014-9219
    CONFIRM
    XF
    powerdns -- recursorPowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it.2014-12-105.0CVE-2014-8601
    CERT-VN
    SECTRACK
    BID
    MISC
    ptc -- isoviewHeap-based buffer overflow in the PTC IsoView ActiveX control allows remote attackers to execute arbitrary code via a crafted ViewPort property value.2014-12-086.8CVE-2014-9267
    MISC
    MISC
    MISC
    BID
    python -- pythonThe HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.2014-12-125.8CVE-2014-9365
    CONFIRM
    MLIST
    CONFIRM
    pyyaml -- libyamlscanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.2014-12-085.0CVE-2014-9130
    MISC
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    MLIST
    SECUNIA
    SECUNIA
    qemu -- qemuHeap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.2014-12-084.6CVE-2014-8106
    XF
    BID
    MLIST
    SECUNIA
    MLIST
    CONFIRM
    CONFIRM
    reality66 -- cart66_liteSQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_products_table action to wp-admin/admin-ajax.php.2014-12-086.5CVE-2014-9305
    EXPLOIT-DB
    MISC
    MISC
    OSVDB
    redhat -- jboss_enterprise_portal_platformCross-site scripting (XSS) vulnerability in JBoss RichFaces, as used in JBoss Portal 6.1.1, allows remote attackers to inject arbitrary web script or HTML via crafted URL, which is not properly handled in a CSS file.2014-12-114.3CVE-2014-7852
    robotstats -- robotstatsMultiple cross-site scripting (XSS) vulnerabilities in admin/robots.lib.php in RobotStats 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) nom or (2) user_agent parameter to admin/robots.php.2014-12-084.3CVE-2014-9349
    XF
    EXPLOIT-DB
    MISC
    samsung -- smartviewerStack-based buffer overflow in the BackupToAvi method in the CNC_Ctrl ActiveX control in Samsung SmartViewer allows remote attackers to execute arbitrary code via unspecified vectors.2014-12-086.8CVE-2014-9265
    MISC
    BID
    scalix -- web_accessCross-site scripting (XSS) vulnerability in the mail administration login panel in Scalix Web Access 11.4.6.12377 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-12-094.3CVE-2014-9352
    MISC
    BUGTRAQ
    FULLDISC
    scalix -- web_accessXML external entity (XXE) vulnerability in Scalix Web Access 11.4.6.12377 and 12.2.0.14697 allows remote attackers to read arbitrary files and trigger requests to intranet servers via a crafted request.2014-12-106.4CVE-2014-9360
    MISC
    BUGTRAQ
    FULLDISC
    subrion -- cmsCross-site scripting (XSS) vulnerability in Subrion CMS before 3.2.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to subrion/search/.2014-12-104.3CVE-2014-9120
    MISC
    CONFIRM
    teeworlds -- teeworldsengine/server/server.cpp in Teeworlds 0.6.x before 0.6.3 allows remote attackers to read memory and cause a denial of service (crash) via unspecified vectors.2014-12-096.4CVE-2014-9351
    CONFIRM
    CONFIRM
    BID
    FEDORA
    FEDORA
    FEDORA
    torch_gmbh -- graylog2Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.2014-12-085.0CVE-2014-9217
    tp-link -- tl-wr740nTP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm.2014-12-085.0CVE-2014-9350
    XF
    MISC
    OSVDB
    EXPLOIT-DB
    MISC
    trihedral -- vtscadaInteger overflow in Trihedral Engineering VTScada (formerly VTS) 6.5 through 9.x before 9.1.20, 10.x before 10.2.22, and 11.x before 11.1.07 allows remote attackers to cause a denial of service (server crash) via a crafted request, which triggers a large memory allocation.2014-12-115.0CVE-2014-9192
    ultrapop -- i-httpdCross-site scripting (XSS) vulnerability in ULTRAPOP.JP i-HTTPD allows remote attackers to inject arbitrary web script or HTML via a crafted string that is improperly rendered during construction of a directory index page, a different vulnerability than CVE-2014-7263.2014-12-114.3CVE-2014-7261
    ultrapop -- i-httpdCross-site scripting (XSS) vulnerability in the Omake BBS component in ULTRAPOP.JP i-HTTPD allows remote attackers to inject arbitrary web script or HTML via a crafted string.2014-12-114.3CVE-2014-7262
    ultrapop -- i-httpdCross-site scripting (XSS) vulnerability in ULTRAPOP.JP i-HTTPD allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP header, a different vulnerability than CVE-2014-7261.2014-12-114.3CVE-2014-7263
    JVNDB
    JVN
    MISC
    vmware -- vcenter_server_applianceCross-site scripting (XSS) vulnerability in VMware vCenter Server Appliance (vCSA) 5.1 before Update 3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-12-084.3CVE-2014-3797
    BUGTRAQ
    FULLDISC
    vmware -- vcenter_server_applianceVMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate.2014-12-084.3CVE-2014-8371
    BUGTRAQ
    FULLDISC
    vmware -- airwatchAirWatch by VMware On-Premise 7.3.x before 7.3.3.0 (FP3) allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference.2014-12-114.0CVE-2014-8372
    FULLDISC
    x -- x_window_systemX.Org X Window System (aka X11 and X) X11R5 and X.Org Server (aka xserver and xorg-server) before 1.16.3, when using SUN-DES-1 (Secure RPC) authentication credentials, does not check the return value of a malloc call, which allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a crafted connection request.2014-12-104.3CVE-2014-8091
    CONFIRM
    x -- x_window_systemMultiple integer overflows in X.Org X Window System (aka X11 or X) X11R1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) ProcPutImage, (2) GetHosts, (3) RegionSizeof, or (4) REQUEST_FIXED_SIZE function, which triggers an out-of-bounds read or write.2014-12-106.5CVE-2014-8092
    x -- x_window_systemMultiple integer overflows in the GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) __glXDisp_ReadPixels, (2) __glXDispSwap_ReadPixels, (3) __glXDisp_GetTexImage, (4) __glXDispSwap_GetTexImage, (5) GetSeparableFilter, (6) GetConvolutionFilter, (7) GetHistogram, (8) GetMinmax, (9) GetColorTable, (10) __glXGetAnswerBuffer, (11) __GLX_GET_ANSWER_BUFFER, (12) __glXMap1dReqSize, (13) __glXMap1fReqSize, (14) Map2Size, (15) __glXMap2dReqSize, (16) __glXMap2fReqSize, (17) __glXImageSize, or (18) __glXSeparableFilter2DReqSize function, which triggers an out-of-bounds read or write.2014-12-106.5CVE-2014-8093
    x -- xorg-serverInteger overflow in the ProcDRI2GetBuffers function in the DRI2 extension in X.Org Server (aka xserver and xorg-server) 1.7.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, which triggers an out-of-bounds read or write.2014-12-106.5CVE-2014-8094
    x -- x_window_systemThe XInput extension in X.Org X Window System (aka X11 or X) X11R4 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXChangeDeviceControl, (2) ProcXChangeDeviceControl, (3) ProcXChangeFeedbackControl, (4) ProcXSendExtensionEvent, (5) SProcXIAllowEvents, (6) SProcXIChangeCursor, (7) ProcXIChangeHierarchy, (8) SProcXIGetClientPointer, (9) SProcXIGrabDevice, (10) SProcXIUngrabDevice, (11) ProcXIUngrabDevice, (12) SProcXIPassiveGrabDevice, (13) ProcXIPassiveGrabDevice, (14) SProcXIPassiveUngrabDevice, (15) ProcXIPassiveUngrabDevice, (16) SProcXListDeviceProperties, (17) SProcXDeleteDeviceProperty, (18) SProcXIListProperties, (19) SProcXIDeleteProperty, (20) SProcXIGetProperty, (21) SProcXIQueryDevice, (22) SProcXIQueryPointer, (23) SProcXISelectEvents, (24) SProcXISetClientPointer, (25) SProcXISetFocus, (26) SProcXIGetFocus, or (27) SProcXIWarpPointer function.2014-12-106.5CVE-2014-8095
    x -- x_window_systemThe SProcXCMiscGetXIDList function in the XC-MISC extension in X.Org X Window System (aka X11 or X) X11R6.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value.2014-12-106.5CVE-2014-8096
    x -- x_window_systemThe DBE extension in X.Org X Window System (aka X11 or X) X11R6.1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcDbeSwapBuffers or (2) SProcDbeSwapBuffers function.2014-12-106.5CVE-2014-8097
    x -- x_window_systemThe GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) __glXDisp_Render, (2) __glXDisp_RenderLarge, (3) __glXDispSwap_VendorPrivate, (4) __glXDispSwap_VendorPrivateWithReply, (5) set_client_info, (6) __glXDispSwap_SetClientInfoARB, (7) DoSwapInterval, (8) DoGetProgramString, (9) DoGetString, (10) __glXDispSwap_RenderMode, (11) __glXDisp_GetCompressedTexImage, (12) __glXDispSwap_GetCompressedTexImage, (13) __glXDisp_FeedbackBuffer, (14) __glXDispSwap_FeedbackBuffer, (15) __glXDisp_SelectBuffer, (16) __glXDispSwap_SelectBuffer, (17) __glXDisp_Flush, (18) __glXDispSwap_Flush, (19) __glXDisp_Finish, (20) __glXDispSwap_Finish, (21) __glXDisp_ReadPixels, (22) __glXDispSwap_ReadPixels, (23) __glXDisp_GetTexImage, (24) __glXDispSwap_GetTexImage, (25) __glXDisp_GetPolygonStipple, (26) __glXDispSwap_GetPolygonStipple, (27) __glXDisp_GetSeparableFilter, (28) __glXDisp_GetSeparableFilterEXT, (29) __glXDisp_GetConvolutionFilter, (30) __glXDisp_GetConvolutionFilterEXT, (31) __glXDisp_GetHistogram, (32) __glXDisp_GetHistogramEXT, (33) __glXDisp_GetMinmax, (34) __glXDisp_GetMinmaxEXT, (35) __glXDisp_GetColorTable, (36) __glXDisp_GetColorTableSGI, (37) GetSeparableFilter, (38) GetConvolutionFilter, (39) GetHistogram, (40) GetMinmax, or (41) GetColorTable function.2014-12-106.5CVE-2014-8098
    CONFIRM
    x -- x_window_systemThe XVideo extension in XFree86 4.0.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXvQueryExtension, (2) SProcXvQueryAdaptors, (3) SProcXvQueryEncodings, (4) SProcXvGrabPort, (5) SProcXvUngrabPort, (6) SProcXvPutVideo, (7) SProcXvPutStill, (8) SProcXvGetVideo, (9) SProcXvGetStill, (10) SProcXvPutImage, (11) SProcXvShmPutImage, (12) SProcXvSelectVideoNotify, (13) SProcXvSelectPortNotify, (14) SProcXvStopVideo, (15) SProcXvSetPortAttribute, (16) SProcXvGetPortAttribute, (17) SProcXvQueryBestSize, (18) SProcXvQueryPortAttributes, (19) SProcXvQueryImageAttributes, or (20) SProcXvListImageFormats function.2014-12-106.5CVE-2014-8099
    x -- x_window_systemThe Render extension in XFree86 4.0.1, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcRenderQueryVersion, (2) SProcRenderQueryVersion, (3) SProcRenderQueryPictFormats, (4) SProcRenderQueryPictIndexValues, (5) SProcRenderCreatePicture, (6) SProcRenderChangePicture, (7) SProcRenderSetPictureClipRectangles, (8) SProcRenderFreePicture, (9) SProcRenderComposite, (10) SProcRenderScale, (11) SProcRenderCreateGlyphSet, (12) SProcRenderReferenceGlyphSet, (13) SProcRenderFreeGlyphSet, (14) SProcRenderFreeGlyphs, or (15) SProcRenderCompositeGlyphs function.2014-12-106.5CVE-2014-8100
    x -- x_window_systemThe RandR extension in XFree86 4.2.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcRRQueryVersion, (2) SProcRRGetScreenInfo, (3) SProcRRSelectInput, or (4) SProcRRConfigureOutputProperty function.2014-12-106.5CVE-2014-8101
    x -- x_window_systemThe SProcXFixesSelectSelectionInput function in the XFixes extension in X.Org X Window System (aka X11 or X) X11R6.8.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length value.2014-12-106.5CVE-2014-8102
    x -- xorg-serverX.Org Server (aka xserver and xorg-server) 1.15.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) sproc_dri3_query_version, (2) sproc_dri3_open, (3) sproc_dri3_pixmap_from_buffer, (4) sproc_dri3_buffer_from_pixmap, (5) sproc_dri3_fence_from_fd, (6) sproc_dri3_fd_from_fence, (7) proc_present_query_capabilities, (8) sproc_present_query_version, (9) sproc_present_pixmap, (10) sproc_present_notify_msc, (11) sproc_present_select_input, or (12) sproc_present_query_capabilities function in the (a) DRI3 or (b) Present extension.2014-12-106.5CVE-2014-8103
    yourls -- yourlsCross-site scripting (XSS) vulnerability in the administrator panel in Yourls 1.7 allows remote attackers to inject arbitrary web script or HTML via a URL that is processed by the Shorten functionality.2014-12-094.3CVE-2014-8488
    FULLDISC
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    chyrp -- chyrpMultiple cross-site scripting (XSS) vulnerabilities in admin/themes/default/pages/manage_users.twig in the Users Management feature in the admin component in Chyrp before 2.5.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user.email or (2) user.website field in a user registration.2014-12-113.5CVE-2014-7264
    gnu -- binutilsMultiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.2014-12-093.6CVE-2014-8737
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    FEDORA
    FEDORA
    FEDORA
    hierarchial_select_project -- hierarchical_selectMultiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields.2014-12-083.5CVE-2014-9346
    XF
    SECUNIA
    hp -- smart_update_managerUnspecified vulnerability in HP Smart Update Manager 6.x before 6.4.1 on Windows, and 6.2.x through 6.4.x before 6.4.1 on Linux, allows local users to obtain sensitive information, and consequently gain privileges, via unknown vectors.2014-12-102.1CVE-2014-2608
    ibm -- systems_directorUnspecified vulnerability in the Security component in IBM Systems Director 6.3.0 through 6.3.5 allows local users to obtain sensitive information via unknown vectors.2014-12-062.1CVE-2014-3099
    XF
    BID
    CONFIRM
    AIXAPAR
    ibm -- websphere_datapower_xc10_appliance_firmwareThe IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows local users to obtain sensitive information by reading a response.2014-12-112.1CVE-2014-6143
    XF
    AIXAPAR
    ibm -- websphere_datapower_xc10_appliance_firmwareCross-site scripting (XSS) vulnerability on the IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2014-12-113.5CVE-2014-6163
    XF
    AIXAPAR
    ibm -- websphere_portalCross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 before 7.0.0.2 CF29, 8.0.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2014-12-113.5CVE-2014-6215
    XF
    AIXAPAR
    meta_tags_quick_project -- meta_tags_quickCross-site scripting (XSS) vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users with the "Edit path based meta tags" permission to inject arbitrary web script or HTML via vectors related to deleting a Path-based Metatag.2014-12-103.5CVE-2014-9362
    microsoft -- exchange_serverOutlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 6 does not properly validate redirection tokens, which allows remote attackers to redirect users to arbitrary web sites and spoof the origin of e-mail messages via unspecified vectors, aka "Exchange URL Redirection Vulnerability."2014-12-103.5CVE-2014-6336
    mozilla -- firefoxMozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information.2014-12-112.1CVE-2014-1595
    CONFIRM
    MISC
    yokogawa -- fast/toolsXML external entity (XXE) vulnerability in the WebHMI server in Yokogawa Electric Corporation FAST/TOOLS before R9.05-SP2 allows local users to cause a denial of service (CPU or network traffic consumption) or read arbitrary files via unspecified vectors.2014-12-063.2CVE-2014-7251
    XF
    JVNDB
    JVN
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


  • SB14-342: Vulnerability Summary for the Week of December 1, 2014
    Original release date: December 08, 2014

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    canto -- canto_cursescanto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers to execute arbitrary commands via shell metacharacters in a URL in a feed.2014-12-037.5CVE-2013-7416
    CONFIRM
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    cchgroup -- prosystem_fx_engagementCCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) 7.1 and earlier uses weak permissions (Authenticated Users: Modify and Write) for the (1) Pfx.Engagement.WcfServices, (2) PFXEngDesktopService, (3) PFXSYNPFTService, and (4) P2EWinService service files in PFX Engagement\, which allows local users to obtain LocalSystem privileges via a Trojan horse file.2014-12-027.2CVE-2014-9113
    MISC
    EXPLOIT-DB
    MISC
    creative_minds -- cm_download_managerThe alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function.2014-12-0510.0CVE-2014-8877
    CONFIRM
    BID
    BUGTRAQ
    MISC
    MISC
    fujitsu -- arrows_kiss_f-03dFUJITSU F-12C, ARROWS Tab LTE F-01D, ARROWS Kiss F-03D, and REGZA Phone T-01D for Android allows local users to execute arbitrary commands via unspecified vectors.2014-12-057.2CVE-2014-7253
    google_doc_embedder_project -- google_doc_embedderSQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter.2014-12-027.5CVE-2014-9173
    CONFIRM
    XF
    EXPLOIT-DB
    MISC
    OSVDB
    graphviz -- graphvizFormat string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string.2014-12-037.5CVE-2014-9157
    CONFIRM
    XF
    BID
    SECUNIA
    MLIST
    MLIST
    hikvision -- dvr_ds-7204_firmwareBuffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header.2014-12-087.5CVE-2014-4880
    EXPLOIT-DB
    MISC
    huawei -- p2-6011_firmwareThe hx170dec device driver in Huawei P2-6011 before V100R001C00B043 allows local users to read and write to arbitrary memory locations via unspecified vectors.2014-12-057.2CVE-2014-2273
    MISC
    XF
    BID
    huawei -- honor_cube_wireless_router_ws860sUnrestricted file upload vulnerability in Huawei Honor Cube Wireless Router WS860s before V100R001C02B222 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.2014-12-0310.0CVE-2014-9134
    BID
    internet_initiative_japan -- seil_b1_firmwareThe (1) PPP Access Concentrator (PPPAC) and (2) Dial-Up Networking Internet Initiative Japan Inc. SEIL series routers SEIL/x86 Fuji 1.00 through 3.22; SEIL/X1, SEIL/X2, and SEIL/B1 1.00 through 4.62; SEIL/Turbo 1.82 through 2.18; and SEIL/neu 2FE Plus 1.82 through 2.18 allow remote attackers to cause a denial of service (restart) via crafted (a) GRE or (b) MPPE packets.2014-12-057.8CVE-2014-7256
    JVNDB
    JVN
    invisionpower -- invision_power_boardSQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter.2014-12-037.5CVE-2014-9239
    FULLDISC
    lsyncd_project -- lsyncddefault-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.2014-12-057.5CVE-2014-8990
    CONFIRM
    CONFIRM
    CONFIRM
    BID
    MLIST
    MLIST
    FEDORA
    FEDORA
    manageengine -- desktop_centralSQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to LinkViewFetchServlet.dat.2014-12-057.5CVE-2014-3996
    MISC
    MISC
    FULLDISC
    manageengine -- it360SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.2014-12-057.5CVE-2014-3997
    MISC
    MISC
    FULLDISC
    mybb -- mybbSQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.2014-12-037.5CVE-2014-9240
    MISC
    openvas -- openvas_managerSQL injection vulnerability in OpenVAS Manager before 4.0.6 and 5.x before 5.0.7 allows remote attackers to execute arbitrary SQL commands via the timezone parameter in a modify_schedule OMP command.2014-12-027.5CVE-2014-9220
    MLIST
    ossec -- ossechost-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed.2014-12-017.2CVE-2014-5284
    EXPLOIT-DB
    MISC
    pbboard -- pbboardSQL injection vulnerability in the CheckEmail function in includes/functions.class.php in PBBoard 3.0.1 before 20141128 allows remote attackers to execute arbitrary SQL commands via the email parameter in the register page to index.php. NOTE: the email parameter in the forget page vector is already covered by CVE-2012-4034.2.2014-12-057.5CVE-2014-9215
    MISC
    BUGTRAQ
    MISC
    proticaret -- proticaretSQL injection vulnerability in Proticaret E-Commerce 3.0 allows remote attackers to execute arbitrary SQL commands via a tem:Code element in a SOAP request.2014-12-037.5CVE-2014-9237
    FULLDISC
    MISC
    services_project -- servicesThe Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrative password.2014-12-017.5CVE-2014-9151
    services_project -- servicesThe _user_resource_create function in the Services module 7.x-3.x before 7.x-3.10 for Drupal uses a password of 1 when creating new user accounts, which makes it easier for remote attackers to guess the password via a brute force attack.2014-12-017.5CVE-2014-9152
    smartypantsplugins -- sp_project_&_document_managerMultiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function.2014-12-027.5CVE-2014-9178
    XF
    BUGTRAQ
    MISC
    EXPLOIT-DB
    MISC
    subex -- roc_fraud_management_systemSQL injection vulnerability in the login page (login/login) in Subex ROC Fraud Management (aka Fraud Management System and FMS) 7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ranger_user[name] parameter.2014-12-027.5CVE-2014-8728
    EXPLOIT-DB
    technicolor -- td5130_router_firmwareTechnicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter).2014-12-057.5CVE-2014-9144
    BUGTRAQ
    EXPLOIT-DB
    MISC
    thomsonreuters -- fixed_assets_csThe installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier uses weak permissions for connectbgdl.exe, which allows local users to execute arbitrary code by modifying this program.2014-12-027.2CVE-2014-9141
    MISC
    websitebaker -- websitebakerSQL injection vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 allows remote attackers to execute arbitrary SQL commands via the page_id parameter.2014-12-037.5CVE-2014-9242
    FULLDISC
    MISC
    wpdatatables -- wpdatatablesSQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.2014-12-027.5CVE-2014-9175
    XF
    BID
    MISC
    EXPLOIT-DB
    MISC
    zohocorp -- manageengine_opmanagerDirectory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.2014-12-047.5CVE-2014-6035
    MISC
    FULLDISC
    zohocorp -- manageengine_it360SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.2014-12-047.5CVE-2014-7867
    zohocorp -- manageengine_it360Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.2014-12-047.5CVE-2014-7868
    MISC
    FULLDISC
    zte -- zxdslZTE ZXDSL 831CII has a default password of admin for the admin account, which allows remote attackers to gain administrator privileges.2014-12-0210.0CVE-2014-9183
    MISC
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    ad-manager_project -- ad-managerOpen redirect vulnerability in track-click.php in the Ad-Manager plugin 1.1.2 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the out parameter.2014-12-024.3CVE-2014-8754
    XF
    MISC
    FULLDISC
    MISC
    adobe -- acrobatRace condition in the MoveFileEx call hook feature in Adobe Reader and Acrobat 11.x before 11.0.09 on Windows allows attackers to bypass a sandbox protection mechanism, and consequently write to files in arbitrary locations, via an NTFS junction attack, a similar issue to CVE-2014-0568.2014-11-296.4CVE-2014-9150
    MISC
    ait-pro -- bulletproof_securityServer-side request forgery (SSRF) vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote attackers to trigger outbound requests that authenticate to arbitrary databases via the dbhost parameter.2014-12-015.0CVE-2014-8749
    FULLDISC
    altitude -- altitude_unified_customer_interactionMultiple cross-site scripting (XSS) vulnerabilities in Altitude uAgent in Altitude uCI (Unified Customer Interaction) 7.5 allow remote attackers to inject arbitrary web script or HTML via (1) an email hyperlink or the (2) style parameter in the image attribute section.2014-12-054.3CVE-2014-9212
    MISC
    anchorcms -- anchor_cmsmodels/comment.php in Anchor CMS 0.9.2 and earlier allows remote attackers to inject arbitrary headers into mail messages via a crafted Host: header.2014-12-024.3CVE-2014-9182
    MISC
    antiword_project -- antiwordBuffer overflow in the bGetPPS function in wordole.c in Antiword 0.37 allows remote attackers to cause a denial of service (crash) via a crafted document.2014-12-055.0CVE-2014-8123
    BID
    MLIST
    MLIST
    apache -- hadoopThe YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.2014-12-055.0CVE-2014-3627
    SECUNIA
    SECUNIA
    avatar_uploader_project -- avatar_uploaderDirectory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped picture in the uploader panel.2014-12-014.0CVE-2014-9155
    clamav -- clamavHeap-based buffer overflow in the cli_scanpe function in libclamav/pe.c in ClamAV before 0.95.4 allows remote attackers to cause a denial of service (crash) via a crafted y0da Crypter PE file.2014-12-015.0CVE-2014-9050
    CONFIRM
    BID
    MLIST
    SECUNIA
    SECUNIA
    FEDORA
    creative_minds -- cm_download_managerCross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php.2014-12-056.8CVE-2014-9129
    BID
    BUGTRAQ
    MISC
    d-link -- dcs-2103_hd_cube_network_camera_firmwareDirectory traversal vulnerability in cgi-bin/sddownload.cgi in D-link IP camera DCS-2103 with firmware 1.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.2014-12-035.0CVE-2014-9234
    FULLDISC
    MISC
    d-link -- dcs-2103_hd_cube_network_camera_firmwareD-link IP camera DCS-2103 with firmware 1.0.0 allows remote attackers to obtain the installation path via the file parameter to cgi-bin/sddownload.cgi, as demonstrated by a / (forward slash) character.2014-12-035.0CVE-2014-9238
    FULLDISC
    MISC
    eleanor-cms -- eleanor_cmsOpen redirect vulnerability in go.php in Eleanor CMS allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the QUERY_STRING.2014-12-025.0CVE-2014-9180
    MISC
    emc -- rsa_adaptive_authentication_on-premiseRSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when using device binding in a Challenge SOAP call or using the RSA Adaptive Authentication Integration Adapters with Out-of-Band Phone (Authentify) functionality, conducts permanent device binding even when authentication fails, which allows remote attackers to bypass authentication.2014-12-085.0CVE-2014-4631
    XF
    SECTRACK
    BID
    BUGTRAQ
    f5 -- big-ipCross-site scripting (XSS) vulnerability in the tree view (pl_tree.php) feature in Application Security Manager (ASM) in F5 BIG-IP 11.3.0 allows remote attackers to inject arbitrary web script or HTML by accessing a crafted URL during automatic policy generation.2014-12-084.3CVE-2014-9342
    BUGTRAQ
    fasttoggle_project -- fasttoggleThe Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link.2014-12-015.8CVE-2014-5268
    filefield_project -- filefieldThe FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file.2014-12-014.0CVE-2014-9156
    fujitsu -- arrows_tab_lte_f-01dMultiple unspecified vulnerabilities in the Syslink driver for Texas Instruments OMAP mobile processor, as used on NTT DOCOMO ARROWS Tab LTE F-01D, ARROWS X LTE F-05D, Disney Mobile on docomo F-08D, REGZA Phone T-01D, and PRADA phone by LG L-02D; and SoftBank SHARP handsets 102SH allow local users to execute arbitrary code or read kernel memory via unknown vectors related to userland data and "improper data validation."2014-12-054.6CVE-2014-7252
    JVNDB
    JVN
    MISC
    MISC
    fujitsu -- arrows_me_f-11dUnspecified vulnerability in ARROWS Me F-11D allows physically proximate attackers to read or modify flash memory via unknown vectors.2014-12-054.6CVE-2014-7254
    JVNDB
    JVN
    MISC
    gleamtech -- filevistaGleamTech FileVista before 6.1 allows remote authenticated users to obtain sensitive information via a crafted path when saving a zip file, which reveals the installation path in an error message.2014-12-024.0CVE-2014-8788
    CONFIRM
    FULLDISC
    MISC
    gleamtech -- filevistaGleamTech FileVista before 6.1 allows remote authenticated users to create arbitrary files and possibly execute arbitrary code via a crafted path in a zip archive, which is not properly handled during extraction.2014-12-026.5CVE-2014-8789
    CONFIRM
    FULLDISC
    MISC
    gnu -- glibciconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows context-dependent attackers to cause a denial of service (out-of-bounds read) via a multibyte character value of "0xffff" to the iconv function when converting IBM930 encoded data to UTF-8.2014-12-055.0CVE-2012-6656
    CONFIRM
    CONFIRM
    BID
    MLIST
    MLIST
    MANDRIVA
    gnu -- glibcGNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of "0xffff" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8.2014-12-055.0CVE-2014-6040
    CONFIRM
    CONFIRM
    BID
    MLIST
    MLIST
    MANDRIVA
    gnu -- cpioHeap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive.2014-12-025.0CVE-2014-9112
    MISC
    MLIST
    MLIST
    MLIST
    SECUNIA
    FULLDISC
    ibm -- javaUnspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache.2014-12-016.9CVE-2014-3065
    CONFIRM
    BID
    REDHAT
    REDHAT
    REDHAT
    REDHAT
    REDHAT
    ibm -- javaIBM Java Runtime Environment (JRE) 7 R1 before SR1 FP1 (7.1.1.1), 7 before SR7 FP1 (7.0.7.1), 6 R1 before SR8 FP1 (6.1.8.1), 6 before SR16 FP1 (6.0.16.1), and before 5.0 SR16 FP7 (5.0.16.7) allows attackers to obtain the private key from a Certificate Management System (CMS) keystore via a brute force attack.2014-12-016.4CVE-2014-3068
    CONFIRM
    XF
    icecast -- icecastIcecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors.2014-12-035.0CVE-2014-9018
    CONFIRM
    CONFIRM
    XF
    BID
    MLIST
    MLIST
    MANDRIVA
    CONFIRM
    infoware -- mapsuiteAbsolute path traversal vulnerability in the MapAPI in Infoware MapSuite before 1.0.36 and 1.1.x before 1.1.49 allows remote attackers to read arbitrary files via unspecified vectors.2014-12-015.0CVE-2014-2232
    MISC
    infoware -- mapsuiteServer-side request forgery (SSRF) vulnerability in the MapAPI in Infoware MapSuite before 1.0.36 and 1.1.x before 1.1.49 allows remote attackers to trigger requests to intranet servers via unspecified vectors.2014-12-015.0CVE-2014-2233
    MISC
    instasqueeze -- sexy_squeeze_pagesCross-site scripting (XSS) vulnerability in the InstaSqueeze Sexy Squeeze Pages plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter to lp/index.php.2014-12-024.3CVE-2014-9176
    XF
    MISC
    MISC
    internet_initiative_japan -- seil_b1_firmwareInternet Initiative Japan Inc. SEIL Series routers SEIL/X1 2.50 through 4.62, SEIL/X2 2.50 through 4.62, SEIL/B1 2.50 through 4.62, and SEIL/x86 Fuji 1.70 through 3.22 allow remote attackers to cause a denial of service (CPU and traffic consumption) via a large number of NTP requests within a short time, which causes unnecessary NTP responses to be sent.2014-12-055.0CVE-2014-7255
    JVNDB
    JVN
    kde -- kde-runtimeMultiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.14.3 and earlier, kwebkitpart 1.3.4 and earlier, and kio-extras 5.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via a crafted URI using the (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar scheme, which is not properly handled in an error message.2014-12-084.3CVE-2014-8600
    MISC
    BID
    FULLDISC
    kennziffer -- ke_questionnaireThe ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request.2014-12-025.0CVE-2014-8874
    MISC
    BUGTRAQ
    FULLDISC
    kent-web -- clip_boardCross-site scripting (XSS) vulnerability in KENT-WEB Clip Board 2.91 and earlier, when running certain versions of Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-12-054.3CVE-2014-7258
    CONFIRM
    JVNDB
    JVN
    lg_electronics -- l-03eLG Electronics Mobile WiFi router L-09C, L-03E, and L-04D does not restrict access to the web administration interface, which allows remote attackers to obtain sensitive information via unspecified vectors.2014-12-055.0CVE-2014-7243
    JVNDB
    JVN
    MISC
    libksba_project -- libskbaInteger underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.2014-12-015.0CVE-2014-9087
    MISC
    SECUNIA
    SECUNIA
    SECUNIA
    MLIST
    linux -- linux_kernelRace condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.2014-11-294.9CVE-2010-5313
    CONFIRM
    linux -- linux_kernelThe SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.2014-11-295.0CVE-2014-3688
    CONFIRM
    CONFIRM
    UBUNTU
    UBUNTU
    MLIST
    CONFIRM
    DEBIAN
    CONFIRM
    linux -- linux_kernelThe sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.2014-11-295.0CVE-2014-7841
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    CONFIRM
    linux -- linux_kernelRace condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.2014-11-294.9CVE-2014-7842
    MLIST
    linux -- linux_kernelThe __clear_user function in arch/arm64/lib/clear_user.S in the Linux kernel before 3.17.4 on the ARM64 platform allows local users to cause a denial of service (system crash) by reading one byte beyond a /dev/zero page boundary.2014-11-294.9CVE-2014-7843
    MLIST
    linux -- linux_kernelStack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.2014-11-296.1CVE-2014-8884
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    CONFIRM
    linux -- linux_kernelThe Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.2014-11-294.6CVE-2014-8989
    MLIST
    CONFIRM
    linux -- linux_kernelThe do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.2014-11-294.9CVE-2014-9090
    MLIST
    modx -- modx_revolutionMODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter.2014-12-036.8CVE-2014-8773
    MISC
    CONFIRM
    modx -- modx_revolutionCross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter.2014-12-034.3CVE-2014-8774
    MISC
    CONFIRM
    modx -- modx_revolutionMODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.2014-12-035.0CVE-2014-8775
    MISC
    CONFIRM
    mutt -- muttThe write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, which allows remote attackers to cause a denial of service (crash) via a header with an empty body, which triggers a heap-based buffer overflow in the mutt_substrdup function.2014-12-025.0CVE-2014-9116
    CONFIRM
    CONFIRM
    SECTRACK
    BID
    MLIST
    MLIST
    CONFIRM
    mybb -- mybbMultiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php.2014-12-034.3CVE-2014-9241
    MISC
    nextendweb -- nextend_facebook_connectCross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_update_options action.2014-12-054.3CVE-2014-8800
    EXPLOIT-DB
    MISC
    OSVDB
    notify_project -- notifyThe Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.2014-12-014.0CVE-2014-9154
    open-xchange -- open-xchange_appsuiteServer-side request forgery (SSRF) vulnerability in the documentconverter component in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allows remote attackers to trigger requests to arbitrary servers and embed arbitrary images via a URL in an embedded image in a Text document, which is not properly handled by the image preview.2014-12-014.3CVE-2014-5237
    BUGTRAQ
    CONFIRM
    MISC
    openvpn -- openvpnOpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.2014-12-036.8CVE-2014-8104
    CONFIRM
    UBUNTU
    phpmyadmin -- phpmyadminMultiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page.2014-11-304.3CVE-2014-8958
    phpmyadmin -- phpmyadminDirectory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter.2014-11-306.5CVE-2014-8959
    CONFIRM
    phpmyadmin -- phpmyadminDirectory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter.2014-11-304.0CVE-2014-8961
    phpmyadmin -- phpmyadminlibraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password.2014-12-085.0CVE-2014-9218
    CONFIRM
    CONFIRM
    CONFIRM
    XF
    CONFIRM
    phpmyadmin -- phpmyadminCross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter.2014-12-084.3CVE-2014-9219
    CONFIRM
    XF
    plex -- plex_media_serverMultiple directory traversal vulnerabilities in Plex Media Server before 0.9.9.3 allow remote attackers to read arbitrary files via a .. (dot dot) in the URI to (1) manage/ or (2) web/ or remote authenticated users to read arbitrary files via a .. (dot dot) in the URI to resources/.2014-12-025.0CVE-2014-9181
    MISC
    BUGTRAQ
    redhat -- packstackOpenStack PackStack 2012.2.1, when the Open vSwitch (OVS) monolithic plug-in is not used, does not properly set the libvirt_vif_driver configuration option when generating the nova.conf configuration, which causes the firewall to be disabled and allows remote attackers to bypass intended access restrictions.2014-12-015.0CVE-2014-3703
    redhat -- tcpdumpBuffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet.2014-12-055.0CVE-2014-9140
    CONFIRM
    MLIST
    services_project -- servicesCross-site scripting (XSS) vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response.2014-12-014.3CVE-2014-9153
    springshare -- libcalMultiple cross-site scripting (XSS) vulnerabilities in api_events.php in Springshare LibCal 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) m or (2) cid parameter.2014-12-014.3CVE-2014-7291
    XF
    MISC
    FULLDISC
    square_enix_co_ltd -- kaku_san_sei_million_aruthurSQUARE ENIX Co., Ltd. Kaku-San-Sei Million Arthur before 2.25 for Android stores "product credentials" on the SD card, which allows attackers to gain privileges via a crafted application.2014-12-055.0CVE-2014-7259
    JVNDB
    JVN
    sunhater -- kcfinderCross-site scripting (XSS) vulnerability in index.php in SunHater KCFinder 3.11 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) file or (2) directory (folder) name of an uploaded file.2014-12-024.3CVE-2014-3988
    CONFIRM
    supportezzy_ticket_system_project -- supportezzy_ticket_systemCross-site scripting (XSS) vulnerability in the SupportEzzy Ticket System plugin 1.2.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the "URL (optional)" field in a new ticket.2014-12-024.0CVE-2014-9179
    MISC
    svnlabs -- html5_mp3_player_with_playlist_freeThe HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php.2014-12-025.0CVE-2014-9177
    XF
    MISC
    MISC
    technicolor -- td5130_router_firmwareCross-site scripting (XSS) vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to inject arbitrary web script or HTML via the failrefer parameter.2014-12-054.3CVE-2014-9142
    BUGTRAQ
    EXPLOIT-DB
    MISC
    technicolor -- td5130_router_firmwareOpen redirect vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the failrefer parameter.2014-12-054.3CVE-2014-9143
    BUGTRAQ
    EXPLOIT-DB
    MISC
    torch_gmbh -- graylog2Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.2014-12-085.0CVE-2014-9217
    tuleap -- tuleapproject/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.2014-12-016.0CVE-2014-8791
    BID
    BUGTRAQ
    FULLDISC
    MISC
    MISC
    undertow_project -- undertowDirectory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.2014-12-015.0CVE-2014-7816
    BID
    MLIST
    vmware -- vcenter_server_applianceCross-site scripting (XSS) vulnerability in VMware vCenter Server Appliance (vCSA) 5.1 before Update 3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-12-084.3CVE-2014-3797
    BUGTRAQ
    FULLDISC
    vmware -- vcenter_server_applianceVMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate.2014-12-084.3CVE-2014-8371
    BUGTRAQ
    FULLDISC
    websitebaker -- websitebakerMultiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4) news/modify_group.php, (5) news/modify_post.php, or (6) news/modify_settings.php in wb/modules/.2014-12-034.3CVE-2014-9243
    FULLDISC
    MISC
    x3cms -- x3_cmsMultiple cross-site request forgery (CSRF) vulnerabilities in the admin area in X3 CMS 0.5.1 and 0.5.1.1 allow remote attackers to hijack the authentication of administrators via unspecified vectors.2014-12-036.8CVE-2014-8771
    MISC
    xen -- xenThe compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode.2014-12-014.9CVE-2014-8866
    BID
    SECUNIA
    xen -- xenThe acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors.2014-12-014.9CVE-2014-8867
    BID
    SECUNIA
    yoast -- google_analyticsCross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Manually enter your UA code" (manual_ua_code_field) field in the General Settings.2014-12-024.3CVE-2014-9174
    MISC
    CONFIRM
    BID
    zohocorp -- manageengine_it360Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.2014-12-045.0CVE-2014-5445
    CONFIRM
    MISC
    MISC
    XF
    BID
    BUGTRAQ
    BUGTRAQ
    FULLDISC
    zohocorp -- manageengine_it360Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.2014-12-045.0CVE-2014-5446
    MISC
    XF
    BID
    BUGTRAQ
    BUGTRAQ
    FULLDISC
    MISC
    zohocorp -- manageengine_it360Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.2014-12-045.0CVE-2014-6034
    MISC
    FULLDISC
    zohocorp -- manageengine_it360Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.2014-12-046.4CVE-2014-6036
    MISC
    FULLDISC
    zoph -- zophMultiple SQL injection vulnerabilities in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) _action parameter to group.php or (2) user.php or the (3) location_id parameter to photos.php in php/.2014-12-036.5CVE-2014-9235
    FULLDISC
    MISC
    zoph -- zophCross-site scripting (XSS) vulnerability in php/edit_photos.php in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) photographer_id or (2) _crumb parameter.2014-12-034.3CVE-2014-9236
    FULLDISC
    MISC
    zte -- zxdslZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi.2014-12-025.0CVE-2014-9184
    MISC
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    clamav -- clamavclamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file.2014-12-012.1CVE-2013-6497
    CONFIRM
    XF
    UBUNTU
    BID
    MLIST
    MLIST
    MANDRIVA
    SECUNIA
    SECUNIA
    FEDORA
    FEDORA
    fedup_project -- fedupfedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a static name for its download cache, which allows local users to cause a denial of service (prevention of system updates).2014-12-012.1CVE-2013-6494
    BID
    FEDORA
    nagios -- nagiosThe check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702.2014-12-052.1CVE-2014-4701
    SUSE
    MLIST
    EXPLOIT-DB
    SECUNIA
    SECUNIA
    FULLDISC
    MISC
    nagios -- nagiosThe check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701.2014-12-052.1CVE-2014-4702
    SUSE
    MLIST
    SECUNIA
    SECUNIA
    nagios -- nagioslib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701.2014-12-052.1CVE-2014-4703
    MLIST
    FULLDISC
    phpmyadmin -- phpmyadminCross-site scripting (XSS) vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename.2014-11-303.5CVE-2014-8960
    CONFIRM
    redhat -- enterprise_virtualizationThe rhevm-log-collector package in Red Hat Enterprise Virtualization 3.4 uses the PostgreSQL database password on the command line when calling sosreport, which allows local users to obtain sensitive information by listing the processes.2014-12-052.1CVE-2014-3561
    XF
    SECTRACK
    x3cms -- x3_cmsCross-site scripting (XSS) vulnerability in the search_controller in X3 CMS 0.5.1 and 0.5.1.1 allows remote authenticated users to inject arbitrary web script or HTML via the search parameter.2014-12-033.5CVE-2014-8772
    MISC
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


  • SB14-335: Vulnerability Summary for the Week of November 24, 2014
    Original release date: December 01, 2014

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    adobe -- airAdobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Windows and OS X and before 11.2.202.424 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allow attackers to execute arbitrary code or cause a denial of service (invalid pointer dereference) via unspecified vectors.2014-11-257.5CVE-2014-8439
    apptha -- contus_video_galleryMultiple SQL injection vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly as distributed before 2014-07-23, for WordPress allow (1) remote attackers to execute arbitrary SQL commands via the vid parameter in a myextract action to wp-admin/admin-ajax.php or (2) remote authenticated users to execute arbitrary SQL commands via the playlistId parameter in the newplaylist page or (3) videoId parameter in a newvideo page to wp-admin/admin.php.2014-11-267.5CVE-2014-9097
    BID
    MISC
    arris -- vap2500_firmwareUnspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.2014-11-2810.0CVE-2014-8423
    MISC
    arris -- vap2500_firmwareARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.2014-11-287.8CVE-2014-8424
    MISC
    arris -- vap2500_firmwareThe management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.2014-11-287.8CVE-2014-8425
    MISC
    arubanetworks -- clearpass_policy_managerSQL injection vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) 6.2.x, 6.3.x before 6.3.6, and 6.4.x before 6.4.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2014-11-257.5CVE-2014-8367
    XF
    SECUNIA
    arubanetworks -- airwaveThe web interface in Aruba Networks AirWave before 7.7.14 and 8.x before 8.0.5 allows remote authenticated users to gain privileges and execute arbitrary commands via unspecified vectors.2014-11-259.0CVE-2014-8368
    XF
    SECUNIA
    cisco -- openh264Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.2014-11-257.5CVE-2014-8001
    cisco -- openh264Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.2014-11-257.5CVE-2014-8002
    cononical -- ubuntumountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.2014-11-257.2CVE-2014-1421
    cybozu -- dezieBuffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.2014-11-239.0CVE-2014-5314
    JVNDB
    JVN
    dell -- sonicwall_analyzerThe ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before 7.2 SP2, and SonicWALL UMA before 7.2 SP2 allows remote authenticated users to execute arbitrary code via unspecified vectors.2014-11-259.0CVE-2014-8420
    MISC
    digium -- asteriskThe res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules.2014-11-247.5CVE-2014-8413
    digium -- asteriskThe DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol.2014-11-249.0CVE-2014-8418
    documentfoundation -- libreofficeLibreOffice before 4.3.5 allows remote attackers to cause a denial of service (invalid write operation and crash) and possibly execute arbitrary code via a crafted RTF file.2014-11-267.5CVE-2014-9093
    CONFIRM
    MLIST
    MLIST
    enalean -- tuleapEnalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.2014-11-289.3CVE-2014-7178
    MISC
    FULLDISC
    flac -- libflacStack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.2014-11-267.5CVE-2014-8962
    MISC
    CONFIRM
    BUGTRAQ
    MISC
    flac -- libflacHeap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.2014-11-267.5CVE-2014-9028
    MISC
    CONFIRM
    BUGTRAQ
    MISC
    gogits -- gogsSQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.2014-11-217.5CVE-2014-8681
    CONFIRM
    XF
    EXPLOIT-DB
    FULLDISC
    MISC
    CONFIRM
    gogits -- gogsMultiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.2014-11-217.5CVE-2014-8682
    CONFIRM
    XF
    BID
    BUGTRAQ
    EXPLOIT-DB
    FULLDISC
    MISC
    CONFIRM
    justsystems -- ichitaroUnspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.2014-11-2510.0CVE-2014-7247
    JVNDB
    JVN
    manageengine -- oputilsThe ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile."2014-11-257.8CVE-2014-8678
    MISC
    mantisbt -- mantisbtMultiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php.2014-11-287.5CVE-2014-9089
    MLIST
    MLIST
    moodle -- moodleThe generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.2014-11-247.5CVE-2014-7845
    MLIST
    php -- phpStack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.2014-11-227.5CVE-2014-8626
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    pligg -- pligg_cmsMultiple SQL injection vulnerabilities in recover.php in Pligg CMS 2.0.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) n parameter.2014-11-267.5CVE-2014-9096
    CONFIRM
    CONFIRM
    BID
    FULLDISC
    MISC
    raritan -- power_iqMultiple SQL injection vulnerabilities in Raritan Power IQ 4.1.0 and 4.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to license/records.2014-11-267.5CVE-2014-9095
    SECUNIA
    FULLDISC
    MISC
    siemens -- simatic_pcs7The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.2014-11-2610.0CVE-2014-8551
    wibu -- codemeter_runtimeWibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read and write access for all users) for codemeter.exe, which allows local users to gain privileges via a Trojan horse file.2014-11-267.2CVE-2014-8419
    BUGTRAQ
    MISC
    xen -- xenThe do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE.2014-11-247.1CVE-2014-9030
    XF
    BID
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    cisco -- adaptive_security_appliance_softwareThe SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.2014-11-275.0CVE-2014-3407
    cisco -- ios_xrCisco IOS XR allows remote attackers to cause a denial of service (LISP process reload) by establishing many LISP TCP sessions, aka Bug ID CSCuq90378.2014-11-255.0CVE-2014-8004
    cisco -- ios_xrRace condition in the lighttpd module in Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (process reload) by establishing many TCP sessions, aka Bug ID CSCuq45239.2014-11-255.0CVE-2014-8005
    digitalzoomstudio -- video_galleryMultiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter.2014-11-264.3CVE-2014-9094
    MISC
    FULLDISC
    digium -- asteriskThe res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.2014-11-264.0CVE-2014-6609
    digium -- asteriskAsterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dialplan application.2014-11-264.0CVE-2014-6610
    digium -- asteriskThe (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry.2014-11-245.0CVE-2014-8412
    digium -- asteriskConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11.6-cert8 does not properly handle state changes, which allows remote attackers to cause a denial of service (channel hang and memory consumption) by causing transitions to be delayed, which triggers a state change from hung up to waiting for media.2014-11-245.0CVE-2014-8414
    CONFIRM
    digium -- asteriskRace condition in the chan_pjsip channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 allows remote attackers to cause a denial of service (assertion failure and crash) via a cancel request for a SIP session with a queued action to (1) answer a session or (2) send ringing.2014-11-245.0CVE-2014-8415
    digium -- asteriskUse-after-free vulnerability in the PJSIP channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1, when using the res_pjsip_refer module, allows remote attackers to cause a denial of service (crash) via an in-dialog INVITE with Replaces message, which triggers the channel to be hung up.2014-11-245.0CVE-2014-8416
    digium -- asteriskConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote authenticated users to (1) gain privileges via vectors related to an external protocol to the CONFBRIDGE dialplan function or (2) execute arbitrary system commands via a crafted ConfbridgeStartRecord AMI action.2014-11-246.5CVE-2014-8417
    directwebremoting -- direct_web_remotingThe (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2014-11-235.0CVE-2014-5325
    JVNDB
    JVN
    directwebremoting -- direct_web_remotingCross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-11-234.3CVE-2014-5326
    JVNDB
    JVN
    drupal -- drupalDrupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.2014-11-246.8CVE-2014-9015
    MLIST
    MLIST
    DEBIAN
    SECUNIA
    drupal -- drupalThe password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.2014-11-245.0CVE-2014-9016
    MLIST
    MLIST
    MLIST
    DEBIAN
    SECUNIA
    dukapress_project -- dukapressDirectory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.2014-11-285.0CVE-2014-8799
    XF
    EXPLOIT-DB
    MISC
    gnu -- glibcThe wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".2014-11-244.3CVE-2014-7817
    CONFIRM
    CONFIRM
    XF
    BID
    MLIST
    gogits -- gogsCross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.2014-11-214.3CVE-2014-8683
    XF
    BUGTRAQ
    FULLDISC
    MISC
    CONFIRM
    huawei -- e3236_firmwareMultiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users for requests that (1) modify configurations, (2) send SMS messages, or have other unspecified impact via unknown vectors.2014-11-216.8CVE-2014-5395
    BID
    ibm -- sterling_selling_and_fulfillment_foundationSterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.2014-11-224.0CVE-2014-4807
    XF
    ibm -- qradar_risk_managerCross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-11-276.8CVE-2014-4829
    XF
    ibm -- qradar_risk_managerIBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.2014-11-275.8CVE-2014-4831
    XF
    ibm -- qradar_risk_managerIBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.2014-11-274.3CVE-2014-4832
    XF
    ibm -- qradar_risk_managerIBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, place credentials in URLs, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.2014-11-275.0CVE-2014-6075
    XF
    ibm -- security_network_protection_xgs_5000IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.2014-11-224.0CVE-2014-6183
    CONFIRM
    ibm -- web_experience_factoryCross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSphere Portal configuration, leading to improper construction of a response page by an application.2014-11-254.3CVE-2014-6196
    XF
    AIXAPAR
    AIXAPAR
    AIXAPAR
    AIXAPAR
    AIXAPAR
    iwip_project -- iwipresolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.2014-11-275.0CVE-2014-4883
    CERT-VN
    jexperts -- channel_platformJExperts Channel Platform 5.0.33_CCB allows remote authenticated users to bypass access restrictions via crafted action and key parameters.2014-11-256.5CVE-2014-8558
    FULLDISC
    MISC
    jqueryui -- jquery_uiCross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.2014-11-244.3CVE-2010-5312
    XF
    MLIST
    MLIST
    jqueryui -- jquery_uiCross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.2014-11-244.3CVE-2012-6662
    XF
    MLIST
    MLIST
    kunena -- kunenaMultiple SQL injection vulnerabilities in the Kunena component before 3.0.6 for Joomla! allow remote authenticated users to execute arbitrary SQL commands via the index value in an array parameter, as demonstrated by the topics[] parameter in an unfavorite action to index.php.2014-11-266.5CVE-2014-9102
    BID
    MISC
    kunena -- kunenaMultiple cross-site scripting (XSS) vulnerabilities in the Kunena component before 3.0.6 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) index value of an array parameter or the filename parameter in the Content-Disposition header to the (2) file or (3) profile image upload functionality.2014-11-264.3CVE-2014-9103
    BID
    MISC
    mantisbt -- mantisbtMantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.2014-11-244.0CVE-2014-8988
    XF
    BID
    MLIST
    CONFIRM
    MLIST
    matrikonopc -- dnp3_opc_serverMatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.2014-11-275.0CVE-2014-5426
    MISC
    moodle -- moodlelib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.2014-11-244.0CVE-2014-7831
    MLIST
    CONFIRM
    moodle -- moodlemod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.2014-11-244.0CVE-2014-7832
    MLIST
    CONFIRM
    moodle -- moodlemod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.2014-11-244.0CVE-2014-7833
    MLIST
    CONFIRM
    moodle -- moodlemod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.2014-11-244.0CVE-2014-7834
    MLIST
    CONFIRM
    moodle -- moodleMultiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request.2014-11-246.8CVE-2014-7836
    MLIST
    moodle -- moodlemod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki.2014-11-245.5CVE-2014-7837
    MLIST
    moodle -- moodleMultiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php.2014-11-246.8CVE-2014-7838
    MLIST
    moodle -- moodletag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.2014-11-244.0CVE-2014-7846
    MLIST
    moodle -- moodleiplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address.2014-11-245.0CVE-2014-7847
    MLIST
    moodle -- moodlelib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.2014-11-245.0CVE-2014-7848
    MLIST
    moodle -- moodlelib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.2014-11-244.3CVE-2014-9059
    MLIST
    moodle -- moodleThe LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.2014-11-245.0CVE-2014-9060
    CONFIRM
    MLIST
    moxi9 -- phpfoxCross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.2014-11-214.3CVE-2014-8469
    XF
    BID
    EXPLOIT-DB
    FULLDISC
    MISC
    open-xchange -- open-xchange_appsuiteSQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.2014-11-216.5CVE-2014-7871
    XF
    BID
    BUGTRAQ
    MISC
    openstack -- neutronOpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.2014-11-244.0CVE-2014-7821
    XF
    SECUNIA
    openswan -- openswanOpenswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.2014-11-265.0CVE-2014-2037
    BID
    MLIST
    MLIST
    openvpn -- openvpn_access_serverMultiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests.2014-11-266.8CVE-2014-9104
    MISC
    MISC
    BUGTRAQ
    FULLDISC
    oracle -- database_serverUnspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4296, CVE-2014-4297, CVE-2014-4310, and CVE-2014-6547. NOTE: this issue was originally mapped to CVE-2014-4301, but CVE-2014-4301 is for an unrelated vulnerability.2014-11-236.8CVE-2014-6477
    paidmembershipspro -- paid_memberships_proDirectory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.2014-11-285.0CVE-2014-8801
    XF
    BID
    EXPLOIT-DB
    MISC
    MISC
    polarssl -- polarsslPolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors.2014-11-245.0CVE-2014-8627
    SECUNIA
    SUSE
    redhat -- resteasyDocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.2014-11-256.4CVE-2014-7839
    SECUNIA
    redhat -- freeipaCross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.2014-11-284.3CVE-2014-7850
    ruby-lang -- rubyThe REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.2014-11-215.0CVE-2014-8090
    siemens -- simatic_pcs7The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.2014-11-265.0CVE-2014-8552
    simple_email_form_project -- simple_email_formCross-site scripting (XSS) vulnerability in Simple Email Form 1.8.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the mod_simpleemailform_field2_1 parameter to index.php.2014-11-214.3CVE-2014-8539
    MISC
    BID
    BUGTRAQ
    MISC
    skalfa -- oxwallMultiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks or possibly have other unspecified impact via the (1) label parameter to admin/users/roles/, (2) lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0] in an AddAccountType action or (3) qst_name parameter in an addQuestion action to admin/questions/ajax-responder/, or (4) form_name or (5) restrictedUsername parameter to admin/restricted-usernames.2014-11-266.8CVE-2014-9101
    MISC
    MISC
    BID
    EXPLOIT-DB
    MISC
    MISC
    OSVDB
    OSVDB
    OSVDB
    OSVDB
    squid-cache -- squidThe pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.2014-11-266.4CVE-2014-7141
    CONFIRM
    MLIST
    MLIST
    MLIST
    squid-cache -- squidThe pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.2014-11-266.4CVE-2014-7142
    CONFIRM
    MLIST
    MLIST
    MLIST
    ubuntu -- apparmorapparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."2014-11-246.4CVE-2014-1424
    whydowork_adsense_project -- whydowork_adsenseCross-site request forgery (CSRF) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the whydowork_adsense page in wp-admin/options-general.php.2014-11-266.8CVE-2014-9099
    BID
    MISC
    whydowork_adsense_project -- whydowork_adsenseCross-site scripting (XSS) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the idcode parameter in the whydowork_adsense page to wp-admin/options-general.php.2014-11-264.3CVE-2014-9100
    BID
    MISC
    wireshark -- wiresharkThe decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.2014-11-225.0CVE-2014-8710
    CONFIRM
    CONFIRM
    wireshark -- wiresharkMultiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.2014-11-225.0CVE-2014-8711
    CONFIRM
    CONFIRM
    CONFIRM
    wireshark -- wiresharkThe build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2014-11-225.0CVE-2014-8712
    CONFIRM
    CONFIRM
    wireshark -- wiresharkStack-based buffer overflow in the build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.2014-11-225.0CVE-2014-8713
    CONFIRM
    CONFIRM
    wireshark -- wiresharkThe dissect_write_structured_field function in epan/dissectors/packet-tn5250.c in the TN5250 dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.2014-11-225.0CVE-2014-8714
    CONFIRM
    CONFIRM
    CONFIRM
    wordpress -- wordpressCross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post.2014-11-254.3CVE-2014-9031
    MLIST
    MISC
    wordpress -- wordpressCross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-11-254.3CVE-2014-9032
    MLIST
    wordpress -- wordpressCross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords.2014-11-256.8CVE-2014-9033
    MLIST
    wordpress -- wordpresswp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.2014-11-255.0CVE-2014-9034
    MLIST
    wordpress -- wordpressCross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-11-254.3CVE-2014-9035
    MLIST
    wordpress -- wordpressCross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post.2014-11-254.3CVE-2014-9036
    MLIST
    wordpress -- wordpressWordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash.2014-11-256.8CVE-2014-9037
    MLIST
    wordpress -- wordpresswp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource.2014-11-256.4CVE-2014-9038
    MLIST
    wordpress -- wordpresswp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.2014-11-254.3CVE-2014-9039
    MLIST
    xavoc -- xepan_cmsCross-site request forgery (CSRF) vulnerability in Xavoc Technocrats xEpan CMS 1.0.4.1, 1.0.4, 1.0.1, and earlier allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts via a crafted request to the owner/users page.2014-11-286.8CVE-2014-8429
    MISC
    BUGTRAQ
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    apptha -- contus_video_galleryMultiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the videoadssearchQuery parameter to (1) videoads/videoads.php, (2) video/video.php, or (3) playlist/playlist.php.2014-11-263.5CVE-2014-9098
    BID
    MISC
    check_diskio_project -- check_diskioThe check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_status-*-*).2014-11-283.6CVE-2014-8994
    XF
    BID
    MLIST
    MLIST
    ibm -- websphere_portalCross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2014-11-253.5CVE-2014-6093
    XF
    liferay -- liferay_portalCross-site scripting (XSS) vulnerability in Liferay Portal Enterprise Edition (EE) 6.2 SP8 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the _20_body parameter in the comment field in an uploaded file.2014-11-243.5CVE-2014-8349
    FULLDISC
    MISC
    mantisbt -- mantisbtCross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987.2014-11-243.5CVE-2014-8986
    MLIST
    MLIST
    MLIST
    MLIST
    moodle -- moodleCross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter.2014-11-243.5CVE-2014-7830
    MLIST
    CONFIRM
    moodle -- moodlewebservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.2014-11-242.1CVE-2014-7835
    CONFIRM
    MLIST
    CONFIRM
    python -- pippip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.2014-11-242.1CVE-2014-8991
    CONFIRM
    CONFIRM
    BID
    MLIST
    MLIST
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


CERT Technical Feed

US-CERT Alerts
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
  • TA14-353A: Targeted Destructive Malware
    Original release date: December 19, 2014

    Systems Affected

    Microsoft Windows

    Overview

    US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.

    SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.

    Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase "National Football League." Additionally, this implant listens for connections on TCP port 195 (for "sensvc.exe" and "msensvc.exe") and TCP port 444 (for "netcfg.dll"). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, "HTTP/1.1 GET /dns?\x00." The controller then responds with the string "200 www.yahoo.com!\x00" (for "sensvc.exe" and "msensvc.exe") or with the string "RESPONSE 200 OK!!" (for "netcfg.dll"). The controller sends the byte "!" (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.

    Lightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.

    Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.

    Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.

    Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.

    Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.

    Technical and strategic mitigation recommendations are included in the Solution section below.

    US-CERT recommends reviewing the Security Tip Handling Destructive Malware #ST13-003.

    Description

    Cyber threat actors are using an SMB worm to conduct cyber exploitation activities.  This tool contains five components – a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.

    The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a C2 infrastructure.

    Impact

    Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.

    Solution

    Users and administrators are recommended to take the following preventive measures to protect their computer networks:

    • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
    • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
    • Review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
    • Review Recommended Practices for Control Systems, and Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies (pdf).

    The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

    MD5s:

    SMB worm tool:

    MD5: f6f48551d7723d87daeef2e840ae008f

    Characterization: File Hash Watchlist

    Notes: "SMB worm tool"

             Earliest PE compile Time: 20141001T072107Z

             Most Recent PE compile Time: 20141001T072107Z

     

    MD5: 194ae075bf53aa4c83e175d4fa1b9d89

    Characterization: File Hash Watchlist

    Notes: "SMB worm tool"

             Earliest PE compile Time: 20141001T120954Z

             Most Recent PE compile Time: 20141001T142138Z

     

    Lightweight backdoor:

    MD5: f57e6156907dc0f6f4c9e2c5a792df48

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110411T225224Z

             Latest PE compile time: 20110411T225224Z

     

    MD5: 838e57492f632da79dcd5aa47b23f8a9

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110517T050015Z

             Latest PE compile time: 20110605T204508Z

     

    MD5: 11c9374cea03c3b2ca190b9a0fd2816b

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110729T062417Z

             Latest PE compile time: 20110729T062958Z

     

    MD5: 7fb0441a08690d4530d2275d4d7eb351

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120128T071327Z

             Latest PE compile time: 20120128T071327Z

     

    MD5: 7759c7d2c6d49c8b0591a3a7270a44da

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120309T105837Z

             Latest PE compile time: 20120309T105837Z

     

    MD5: 7e48d5ba6e6314c46550ad226f2b3c67

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120311T090329Z

             Latest PE compile time: 20120311T090329Z

     

    MD5: 0a87c6f29f34a09acecce7f516cc7fdb

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120325T053138Z

             Latest PE compile time: 20130513T090422Z

     

    MD5: 25fb1e131f282fa25a4b0dec6007a0ce

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20130802T054822Z

             Latest PE compile time: 20130802T054822Z

     

    MD5: 9761dd113e7e6673b94ab4b3ad552086

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20130913T013016Z

             Latest PE compile time: 20130913T013016Z

     

    MD5: c905a30badb458655009799b1274205c

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140205T090906Z

             Latest PE compile time: 20140205T090906Z

     

    MD5: 40adcd738c5bdc5e1cc3ab9a48b3df39

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140320T152637Z

             Latest PE compile time: 20140402T023748Z

     

    MD5: 68a26b8eaf2011f16a58e4554ea576a1

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140321T014949Z

             Latest PE compile time: 20140321T014949Z

     

    MD5: 74982cd1f3be3d0acfb0e6df22dbcd67

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140506T020330Z

             Latest PE compile time: 20140506T020330Z

     

    Proxy tool:

    MD5: 734740b16053ccc555686814a93dfbeb

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140611T064905Z

             Latest PE compile time: 20140611T064905Z

     

    MD5: 3b9da603992d8001c1322474aac25f87

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140617T035143Z

             Latest PE compile time: 20140617T035143Z

     

    MD5: e509881b34a86a4e2b24449cf386af6a

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time : 20140618T064527Z

             Latest PE compile time: 20140618T064527Z

     

    MD5: 9ab7f2bf638c9d911c2c742a574db89e

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140724T011233Z

             Latest PE compile time: 20140724T011233Z

     

    MD5: a565e8c853b8325ad98f1fac9c40fb88

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140724T065031Z

             Latest PE compile time: 20140902T135050Z

     

    MD5: 0bb82def661dd013a1866f779b455cf3

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140819T024812Z

             Latest PE compile time: 20140819T024812Z

     

    MD5: b8ffff8b57586d24e1e65cd0b0ad9173

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140902T172442Z

             Latest PE compile time: 20140902T172442Z

     

    MD5: 4ef0ad7ad4fe3ef4fb3db02cd82bface

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20141024T134136Z

             Latest PE compile time: 20141024T134136Z

     

    MD5: eb435e86604abced7c4a2b11c4637a52

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140526T010925Z

             Latest PE compile time: 20140526T010925Z

     

    MD5: ed7a9c6d9fc664afe2de2dd165a9338c

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140611T064904Z

     

    Destructive hard drive tool:

    MD5: 8dec36d7f5e6cbd5e06775771351c54e

    Characterization: File Hash Watchlist

    Notes: "Destructive hard drive tool"

             Earliest PE compile time: 20120507T151820Z

             Latest PE compile time: 20120507T151820Z

     

    MD5: a385900a36cad1c6a2022f31e8aca9f7

    Characterization: File Hash Watchlist

    Notes: "Destructive target cleaning tool"

             Earliest PE compile time: 20130318T003315Z

             Latest PE compile time: 20130318T003315Z

     

    MD5: 7bea4323807f7e8cf53776e24cbd71f1

    Characterization: File Hash Watchlist

    Notes: "Destructive target cleaning tool"

             Earliest PE compile time: 20130318T003319Z

             Latest PE compile time: 20130318T003319Z

     

    Name: d1c27ee7ce18675974edf42d4eea25c6.bin

    Size: 268579 bytes (268.6 KB)

    MD5: D1C27EE7CE18675974EDF42D4EEA25C6

    PE Compile Time: 2014-11-22 00:06:54

     

    The malware has the following characteristics:

    While the original filename of this file is unknown, it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware: “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, and then terminated. The second instance of the dropper file installed itself as the “WinsSchMgmt” service with “-k” as a command line argument, started the service, and then terminated. The “WinsSchMgmt” service executed the file with “-k” as an argument, which started another instance of the file using “-s” as an argument. The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.

     

    Name: net_ver.dat

    Size: 4572 bytes (4.6 KB)  (size will vary)

    MD5: 93BC819011B2B3DA8487F964F29EB934  (hash will vary)

     

    This is a log file created by the dropper, and appended to as the scans progress  It contains what appear to be hostnames, IP addresses, and the number 2.   Entries in the file have the structure “HOSTNAME | IP Address | 2”.

     

    Name: igfxtrayex.exe

    Size: 249856 bytes (249.9 KB)

    MD5: 760C35A80D758F032D02CF4DB12D3E55

    PE Compile Time: 2014-11-24 04:11:08

     

    This file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no parameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three copies of itself and places them in the same directory from which it was executed. These copies are named according to the format “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a different argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of three hard-coded IP addresses in a random order to port 8080 or 8000. If a connection to the IP address cannot be made, it attempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The following command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120-minute (2 hour) sleep command is issued after which the computer is shut down and rebooted.

     

    Name: iissvr.exe

    Size: 114688 bytes (114.7 KB)

    MD5: E1864A55D5CCB76AF4BF7A0AE16279BA

    PE Compile Time: 2014-11-13 02:05:35

     

    This file, when executed, starts a listener on localhost port 80. It has 3 files contained in the resource section; all xor’d with 0x63.

     

    Name: usbdrv3_32bit.sys

    Size: 24280 bytes (24.3 KB)

    MD5: 6AEAC618E29980B69721158044C2E544

    PE Compile Time: 2009-08-21 06:05:32

     

    This SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.

     

    Name: usbdrv3_64bit.sys

    Size: 28120 bytes (28.1 KB)

    MD5: 86E212B7FC20FC406C692400294073FF

    PE Compile Time: 2009-08-21 06:05:35

     

    This SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.

     

    Name: igfxtpers.exe

    Size: 91888 bytes (91.9 KB)

    MD5: e904bf93403c0fb08b9683a9e858c73e

    PE Compile Time: 2014-07-07 08:01:09

     

    A summary of the C2 IP addresses:

    IP AddressCountryPortFilename
    203.131.222.102Thailand8080Diskpartmg16.exe
    igfxtrayex.exe
    igfxtpers.exe
    217.96.33.164Poland8000Diskpartmg16.exe
    igfxtrayex.exe
    88.53.215.64Italy8000Diskpartmg16.exe
    igfxtrayex.exe
    200.87.126.116Bolivia8000--
    58.185.154.99Singapore8080--
    212.31.102.100Cypress8080--
    208.105.226.235United States--igfxtpers.exe

     

    Snort signatures:

    SMB Worm Tool (not necessarily the tool itself):

    alert tcp any any -> any any (msg:"Wiper1";content:"|be 64 ba f2 a8 64|";offset:16;depth:6;sid:1;)

    alert tcp any any -> any any (msg:"Wiper2";content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|";offset:0;depth:16;sid:3;)

    alert tcp any any -> any any (msg:"Wiper3";content:"|aa 64 ba f2 56 9b|";offset:0;depth:50;sid:2;)

    alert ip any any -> any any (msg:"Wiper4";content:"|aa 74 ba f2 b9 75|";offset:0;depth:74;sid:4;)

     

    Listening Implant:

    alert tcp any any -> any any (msg:"Backdoor1";content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|";offset:0;depth:22;sid:9;)

    alert tcp any any -> any any (msg:"Backdoor2";content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|";offset:0;depth:18;sid:12;)

    alert ip any any -> any any (msg:"Backdoor3";content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|";depth:24;sid:1;)

    alert ip any any -> any any (msg:"Backdoor4";content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|";depth:23;sid:2;)

    alert ip any any -> any any (msg:"Backdoor5";content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|";depth:22;sid:3;)

    alert tcp any any -> any any (msg:"Backdoor6";content:"|09 22 33 30 28 35 2c|";sid:4;)

    alert tcp any any -> any any (msg:"Backdoor7";content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|";sid:5;)

    alert tcp any any -> any any (msg:"Backdoor8";content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|";sid:6;)

    alert tcp any any -> any any (msg:"Backdoor9";content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|";sid:7;)

    alert tcp any any -> any any (msg:"Backdoor10";content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|";offset:0;depth:18;sid:8;)

    alert tcp any any -> any any (msg:"Backdoor11";content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|";offset:0;depth:18;sid:10;)

    alert tcp any any -> any any (msg:"Backdoor12";content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|";sid:11;)

     

    Lightweight Backdoor:

    alert tcp any 488 <> any any (msg:"Proxy1";content:"|60 db 37 37 37 37 37 37|";sid:3;)

    alert tcp any any -> any 488 (msg:"Proxy2";content:"|60 db 37 37 37 37 37 37|";sid:4;)

    alert tcp any any -> any any (msg:"Proxy3";content:"|4c 4c|";offset:16;depth:2;content:"|75 14 2a 2a|";distance:4;within:4;sid:4;)

    alert tcp any any -> any any (msg:"Proxy4";content:"|8A 10 80 C2 67 80 F2 24 88 10|";content:"8A 10 80 F2 24 80 EA 67 88 10";sid:2;)

    alert tcp any 488 <> any any (msg:"Proxy5";content:"|65 db 37 37 37 37 37 37|";sid:2;)

    alert tcp any any -> any 488 (msg:"Proxy6";content:"|65 db 37 37 37 37 37 37|";sid:2;)

    alert tcp any [547,8080,133,117,189,159] -> any any (msg:"Proxy7";content:"|7b 08 2a 2a|";offset:17;content:"|08 2a 2a 01 00|";distance:0;sid:1;)

    alert tcp any any -> any any (msg:"Proxy8";content:"|8A 10 80 EA 62 80 F2 B4 88 10|";content:"|8A 10 80 F2 B4 80 C2 62 88 10|";sid:1;)

    alert tcp any any -> any any (msg:"Proxy9";content:"|8A 10 80 C2 4E 80 F2 79 88 10|";content:"|8A 10 80 F2 79 80 EA 4E 88 10|";sid:3;)

    alert tcp any any -> any any (msg:"Proxy10";content:"Sleepy!@#qaz13402scvsde890";nocase;content:"BC435@PRO62384923412!@3!";nocase;sid:5;)

     

    Proxy Tool:

    alert tcp any any -> any any (msg:"Wiper1";content:"|8A 10 80 C2 3A 80 F2 73 88 10|";content:"|8A 10 80 F2 73 80 EA 3A 88 10|";sid:4;)

    alert tcp any any -> any any (msg:"Wiper2";content:!"HTTP/1";content:"|e2 1d 49 49|";offset:O;depth:4;content:"|49 49 49 49|";distance:4;within:4;sid:6;)

    alert tcp any any -> any any (msg:"Wiper3";content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|";sid:1;)

     

    Malware associated with the cyber threat actor:

    alert tcp any any -> any [8000,8080] (msg:"WIPER4";flow: established, to_server;dsize:42;content:"|28 00|";depth:2;content:"|04 00 00 00|";offset:38;depth:4;sid:123;)

     

    Host Based Indicators

    Below are potential YARA signatures to detect malware binaries on host machines:

     

    SMB Worm Tool:

    strings:

    $STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"

    $STR2 ="EVERYONE"

    $STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"

    $STR4 = "\\KB25468.dat" condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) ==0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = ''NetMgStart"

    $STR2 = ''Netmgmt.srg"

    condition:

    (uint16(0) == 0x5A4D) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = "prxTroy" ascii wide nocase

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1  62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}

    $STR2 = {SA 10 80?? 79 80 ?? 4E 88 10}

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Proxy Tool:

    strings:

    $STR1 = "pmsconfig.msi" wide

    $STR2 = "pmslog.msi" wide

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them

     

    Proxy Tool:

    strings:

    $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 Dl  C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7

    condition:

    (uint16(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Proxy Tool:

    strings:

    $STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2

     

    Destructive Hard Drive Tool:

    strings:

    $str0= "MZ"

    $str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }

    $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08

    F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }

    condition:

    $str0 at 0 and $xorInLoop and #str1 > 300

     

    Destructive Target Cleaning Tool:

    strings:

    $s1  = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}

    condition:

    (uintl6(0) == 0x5A4D and uintl6(uint32(0x3c)) == 0x4550) and all of them

     

    Destructive Target Cleaning Tool:

    strings

    $secureWipe= { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C OF 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 OF 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 OF 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF OF 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 CO 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3}

    condition:

    $secureWipe

     

    Destructive Target Cleaning Tool:

    strings:

    $S1_CMD_Arg = ""/install'"' fullword

    $S2_CMD_Parse= ""\""%s'"'  /install \""%s\""'"' fullword

    $S3_CMD_Builder= ""\'"'%s\""  \""%s\'"' \""%s\'"' %s'"' fullword

    condition:

    all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $BATCH_SCRIPT_LN1_0 = ""goto x"" fullword

    $BATCH_SCRIPT_LN1_1 = '"'del"" fullword

    $BATCH_SCRIPT_LN2_0 = ""if exist"" fullword

    $BATCH_SCRIPT_LN3_0 = "":x'"' fullword

    $BATCH_SCRIPT_LN4_0 = ""zz%d.bat"'' fullword

    condition:

    (#BATCH_SCRIPT_LNl_l == 2) and all of them"

     

    Destructive Target Cleaning Tool:

    strings:

    $MCU_DLL_ZLIB_COMPRESSED2=

    {5CECABAE813CC9BCD5A542F454910428343479806F71D5521E2AOD}

    condition:

    $MCU_DLL_ZLIB_COMPRESSED2"

     

    Destructive Target Cleaning Tool:

    strings:

    $MCU_INF_StartHexDec =

    {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A50 3A0D2A000E00A26El5104556766572636C7669642E657865}

    $MCU_INF_StartHexEnc =

    {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263ElF5413531FlE004543544C55}

    condition:

    $MCU_INF_StartHexEnc or

    $MCU_INF_StartHexDec

    Destructive Target Cleaning Tool:

    strings:

    $ = "SetFilePointer"

    $ = "SetEndOfFile"

    $ = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ffD5 56 ff 15?? ?? ??

    ?? 56}

    condition:

    (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $license=

    {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}

    $PuTTY= {50007500540054005900}

    condition:

    (uint16(0) == 0x5A4D and uintl6(uint32(0x3c)) == 0x4550) and $license and not $PuTTY

     

    Malware used by cyber threat actor:

    strings:

    $heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}

    $heapCreateFunction =

    {558BECB82C120000E8????FFFF8D8568FFFFFF5350C78568FFFFFF94000000FF1????????085C0741A83BD78FFFFFF02751183BD6CFFFFFF0572086A0158E9020100008D85D4EDFFF68901000005068???????0FF15???????085C00F84D000000033DB8D8DD4EDFFFF389DD4EDFFFF74138A013C617C083C7A7F042C20880141381975ED8D85D4EDFFFF6A165068???????0E8????000083C40C85C075088D85D4EDFFFFEB498D8564FEFFFF68040100005053FF15???????0389D64FEFFFF8D8D64FEFFFF74138A013C617C083C7A7F042C20880141381975ED8D8564FEFFFF508D85D4EDFFFF50E8????????59593BC3743E6A2C50E8????????593BC3597430408BC83818740E80393B75048819EB0141381975F26A0A5350E8????000083C40C83F802741D83F803741883F80174138D45FC50E898FEFFFF807DFC06591BC083C0035BC9C3}

    $getMajorMinorLinker =

    {568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}

    $openServiceManager =

    {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}

    condition:

    all of them

     

    Malware used by cyber threat actor:

    strings:

    $str1 = "_quit"

    $str2 = "_exe"

    $str3 = "_put"

    $str4 = "_got"

    $str5 = "_get"

    $str6 ="_del"

    $str7 = "_dir"

    $str8 = { C7 44 24 18 1F F7}

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0  or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Malware used by cyber threat actor:

    strings:

    $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Recommended Security Practices

    Because of the highly destructive functionality of the malware, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations may vary depending on the type and number of systems impacted.

    Tactical Mitigations

    • Implement the indicators of compromise within your systems for detection and mitigation purposes.
    • Encourage users to transfer critical files to network shares, to allow for central backed up.
    • Execute daily backups of all critical systems.
    • Periodically execute an “offline” backup of critical files to removable media.
    • Establish emergency communications plans should network resources become unavailable.
    • Isolate any critical networks (including operations networks) from business systems.
    • Identify critical systems and evaluate the need for having on-hand spares to quickly restore service.
    • Ensure antivirus is up to date.
    • Disable credential caching for all desktop devices with particular importance on critical systems such as servers and restrict the number of cached credential for all portable devices to no more than three if possible. This can be accomplished through a Group Policy Object (GPO).
    • Disable AutoRun and Autoplay for any removable media device.
    • Prevent or limit the use of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration data, except where there is a valid business case for use. This business case must be approved by the organization Chief IT Security Officer, with policy/guidance on how such media should be used.
    • Consider restricting account privileges. It is our recommendation that all daily operations should be executed using standard user accounts unless administrative privileges are required for that specific function. Configure all standard user accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and administrative accounts should have access only to services required for nominal daily duties, enforcing the concept of separation of duties. Lastly, disable Web and email capabilities on administrative accounts. Compromise of admin accounts is one vector that allows malicious activity to become truly persistent in a network environment.
    • Ensure that password policy rules are enforced and Admin password values are changed periodically.
    • Consider prohibiting hosts within the production environment or DMZ from sharing an Active Directory enterprise with hosts on other networks. Each environment should have separate forests within Active Directory, with no trust relationships allowed between the forests if at all possible. If necessary, the trust relationships should be one-way with the low integrity environment trusting the higher integrity environment.
    • Consider deployment of a coaching page with click through acceptance; these are traditionally deployed in an environment to log the acceptance of network acceptable use policy or to notify users of monitoring. Coaching pages also provide some measure of protection from automated malicious activity. This occurs because automated malware is normally incapable of physically clicking an acceptance radial button. Automated malware is traditionally hardcoded to execute, then retrieve commands or additional executables from the Internet. If the malware is unable to initiate an active connection, the full train of infection is potentially halted. The danger still exists that the physical user will authorize access, but through the use of coaching pages, infections can be limited or at least the rate of infection reduced.
    • Monitor logs -- Maintain and actively monitor a centralized logging solution that keeps track of all anomalous and potentially malicious activity.
    • Ensure that all network operating systems, web browsers, and other related network hardware and software remain updated with all current patches and fixes.

    Strategic Mitigations

    • Organizations should review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
    • Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Any unused applications or functions should be removed or disabled, if possible, to limit the attack surface of the host.
    • Implement network segmentation through V-LANs to limit the spread of malware.
    • Consider the deployment of Software Restriction Policy set to only allow the execution of approved software (application whitelisting)
    • Recommend the whitelisting of legitimate executable directories to prevent the execution of potentially malicious binaries.
    • Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems.
    • Consider deploying a two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access.
    • Deny direct Internet access, except through the use of proxies for Enterprise servers and workstations. Perform regular content filtering at the proxies or external firewall points of presence. Also consider the deployment of an explicit versus transparent proxy policy.
    • Implement a Secure Socket Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity.
    • Isolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization technology. This will limit the damage sustained from a compromise or attack of a single network component.
    • Implement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing Foundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). It is difficult to enforce corporate policies, detect intrusions, and conduct forensic analysis or remediate compromises on non-corporate owned devices.
    • Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
    • Place control system networks behind firewalls, and isolate or air gap them from the business network.
    • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
    • Industrial Control System (ICS)-CERT and US-CERT remind organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

    References

    Revision History

    • December 19, 2014: Initial Release

    This product is provided subject to this Notification and this Privacy & Use policy.


  • TA14-329A: Regin Malware
    Original release date: November 25, 2014

    Systems Affected

    Microsoft Windows NT, 2000, XP, Vista, and 7

    Overview

    On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.

    Description

    Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.  

    Impact

    Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. [1]

    Solution

    Users and administrators are recommended to take the following preventive measures to protect their computer networks:

    • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). [2]
    • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

    The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

    MD5s: [1]

    Stage 1 files, 32 bit:

    06665b96e293b23acc80451abb413e50

    187044596bc1328efa0ed636d8aa4a5c

    1c024e599ac055312a4ab75b3950040a

    2c8b9d2885543d7ade3cae98225e263b

    4b6b86c7fec1c574706cecedf44abded

    6662c390b2bbbd291ec7987388fc75d7

    b269894f434657db2b15949641a67532

    b29ca4f22ae7b7b25f79c1d4a421139d

    b505d65721bb2453d5039a389113b566

    26297dc3cd0b688de3b846983c5385e5

    ba7bb65634ce1e30c1e5415be3d1db1d

    bfbe8c3ee78750c3a520480700e440f8

    d240f06e98c8d3e647cbf4d442d79475

    ffb0b9b5b610191051a7bdf0806e1e47

    Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

    01c2f321b6bfdb9473c079b0797567ba

    47d0e8f9d7a6429920329207a32ecc2e

    744c07e886497f7b68f6f7fe57b7ab54

    db405ad775ac887a337b02ea8b07fddc

    Stage 1, 64-bit system infection:

    bddf5afbea2d0eed77f2ad4e9a4f044d

    c053a0a3f1edcbbfc9b51bc640e808ce

    e63422e458afdfe111bd0b87c1e9772c

    Stage 2, 32 bit:

    18d4898d82fcb290dfed2a9f70d66833

    b9e4f9d32ce59e7c4daf6b237c330e25

    Stage 2, 64 bit:

    d446b1ed24dad48311f287f3c65aeb80

    Stage 3, 32 bit:

    8486ec3112e322f9f468bdea3005d7b5

    da03648948475b2d0e3e2345d7a9bbbb

    Stage 4, 32 bit:

    1e4076caa08e41a5befc52efd74819ea

    68297fde98e9c0c29cecc0ebf38bde95

    6cf5dc32e1f6959e7354e85101ec219a

    885dcd517faf9fac655b8da66315462d

    a1d727340158ec0af81a845abd3963c1

    Stage 4, 64 bit:

    de3547375fbf5f4cb4b14d53f413c503

    Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.

    Registry branches used to store malware stages 2 and 3:

    \REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{39399744-44FC-AD65-474B-E4DDF-8C7FB97}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{3F90B1B4-58E2-251E-6FFE-4D38C5631A04}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}

    IP IOCs [3]:

    61.67.114.73

    202.71.144.113

    203.199.89.80

    194.183.237.145

    References

    Revision History

    • November 25, 2014: Initial Release

    This product is provided subject to this Notification and this Privacy & Use policy.


  • TA14-323A: Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability
    Original release date: November 19, 2014 | Last revised: November 25, 2014

    Systems Affected

    • Microsoft Windows Vista, 7, 8, and 8.1
    • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

    Overview

    A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1]

    Description

    The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

    At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.

    Impact

    A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]

    Solution

    An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1, 3

    References

    Revision History

    • November 19, 2014: Initial Draft
    • November 25, 2014: Revised formatting

    This product is provided subject to this Notification and this Privacy & Use policy.


Valid XHTML 1.0 Transitional CSS ist valide!