Vendor CVEs
Debian
All CVEs
3,338 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-3660 | 0.00 | — | 0.04 | Nov 4, 2014 | parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested… | |||
| CVE-2014-0490 | 0.00 | — | 0.04 | Nov 3, 2014 | The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package. | |||
| CVE-2014-0489 | 0.00 | — | 0.04 | Nov 3, 2014 | APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package. | |||
| CVE-2014-0488 | 0.00 | — | 0.02 | Nov 3, 2014 | APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data. | |||
| CVE-2014-0487 | 0.00 | — | 0.02 | Nov 3, 2014 | APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors. | |||
| CVE-2014-3615 | 0.00 | — | 0.00 | Nov 1, 2014 | The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution. | |||
| CVE-2014-3694 | 0.00 | — | 0.02 | Oct 29, 2014 | The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to… | |||
| CVE-2014-5026 | 0.00 | — | 0.02 | Oct 20, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host… | |||
| CVE-2014-5025 | 0.00 | — | 0.02 | Oct 20, 2014 | Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. | |||
| CVE-2014-3564 | 0.00 | — | 0.04 | Oct 20, 2014 | Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line… | |||
| CVE-2014-3686 | 0.00 | — | 0.05 | Oct 16, 2014 | wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame. | |||
| CVE-2014-7206 | 0.00 | — | 0.00 | Oct 15, 2014 | The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file. | |||
| CVE-2014-1829 | 0.00 | — | 0.02 | Oct 15, 2014 | Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request. | |||
| CVE-2014-5270 | 0.00 | — | 0.01 | Oct 10, 2014 | Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage… | |||
| CVE-2014-7204 | 0.00 | — | 0.04 | Oct 7, 2014 | jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a denial of service (infinite loop and CPU and disk consumption) via a crafted JavaScript file. | |||
| CVE-2014-4510 | 0.00 | — | 0.01 | Oct 6, 2014 | Cross-site scripting (XSS) vulnerability in job.cc in apt-cacher-ng 0.7.26 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||
| CVE-2014-6054 | 0.00 | — | 0.06 | Oct 6, 2014 | The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier allows remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2)… | |||
| CVE-2014-7155 | 0.00 | — | 0.01 | Oct 2, 2014 | The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1)… | |||
| CVE-2014-7154 | 0.00 | — | 0.01 | Oct 2, 2014 | Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors. | |||
| CVE-2014-6055 | 0.00 | — | 0.08 | Sep 30, 2014 | Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3)… | |||
| CVE-2014-6051 | 0.00 | — | 0.08 | Sep 30, 2014 | Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer… | |||
| CVE-2014-6273 | 0.00 | — | 0.02 | Sep 30, 2014 | Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and earlier allows man-in-the-middle attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted URL. | |||
| CVE-2014-0484 | 0.00 | — | 0.00 | Sep 22, 2014 | The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment." | |||
| CVE-2014-3169 | 0.00 | — | 0.03 | Aug 27, 2014 | Use-after-free vulnerability in core/dom/ContainerNode.cpp in the DOM implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging script execution that occurs… | |||
| CVE-2014-3168 | 0.00 | — | 0.02 | Aug 27, 2014 | Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper caching associated with animation. | |||
| CVE-2014-0481 | 0.00 | — | 0.02 | Aug 26, 2014 | The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote… | |||
| CVE-2014-3589 | 0.00 | — | 0.04 | Aug 25, 2014 | PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. | |||
| CVE-2014-5033 | 0.00 | — | 0.00 | Aug 19, 2014 | KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2)… | |||
| CVE-2014-5266 | 0.00 | — | 0.24 | Aug 18, 2014 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a… | |||
| CVE-2014-5265 | 0.00 | — | 0.03 | Aug 18, 2014 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU… | |||
| CVE-2014-5240 | 0.00 | — | 0.02 | Aug 18, 2014 | Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. | |||
| CVE-2014-5204 | 0.00 | — | 0.02 | Aug 18, 2014 | wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. | |||
| CVE-2014-4344 | 0.00 | — | 0.07 | Aug 14, 2014 | The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation… | |||
| CVE-2014-4343 | 0.00 | — | 0.06 | Aug 14, 2014 | Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute… | |||
| CVE-2014-3167 | 0.00 | — | 0.01 | Aug 13, 2014 | Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.143 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |||
| CVE-2014-3166 | 0.00 | — | 0.01 | Aug 13, 2014 | The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by… | |||
| CVE-2014-3165 | 0.00 | — | 0.02 | Aug 13, 2014 | Use-after-free vulnerability in modules/websockets/WorkerThreadableWebSocketChannel.cpp in the Web Sockets implementation in Blink, as used in Google Chrome before 36.0.1985.143, allows remote attackers to cause a denial of service or possibly have unspecified other impact via… | |||
| CVE-2014-0479 | 0.00 | — | 0.03 | Aug 6, 2014 | reportbug before 6.4.4+deb7u1 and 6.5.x before 6.5.0+nmu1 allows remote attackers to execute arbitrary commands via vectors related to compare_versions and reportbug/checkversions.py. | |||
| CVE-2014-3534 | 0.00 | — | 0.00 | Aug 1, 2014 | arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently… | |||
| CVE-2014-1557 | 0.00 | — | 0.05 | Jul 23, 2014 | The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function execution, which allows remote attackers to execute arbitrary code… | |||
| CVE-2014-4911 | 0.00 | — | 0.02 | Jul 22, 2014 | The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit. | |||
| CVE-2014-4342 | 0.00 | — | 0.07 | Jul 20, 2014 | MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. | |||
| CVE-2014-4341 | 0.00 | — | 0.07 | Jul 20, 2014 | MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. | |||
| CVE-2014-3162 | 0.00 | — | 0.01 | Jul 20, 2014 | Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.125 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |||
| CVE-2014-3160 | 0.00 | — | 0.01 | Jul 20, 2014 | The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a… | |||
| CVE-2014-4943 | 0.00 | — | 0.02 | Jul 19, 2014 | The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. | |||
| CVE-2014-3533 | 0.00 | — | 0.00 | Jul 19, 2014 | dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. | |||
| CVE-2014-3532 | 0.00 | — | 0.00 | Jul 19, 2014 | dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum… | |||
| CVE-2014-4260 | 0.00 | — | 0.03 | Jul 17, 2014 | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR. | |||
| CVE-2014-4258 | 0.00 | — | 0.03 | Jul 17, 2014 | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC. |
- CVE-2014-3660Nov 4, 2014risk 0.00cvss —epss 0.04
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested…
- CVE-2014-0490Nov 3, 2014risk 0.00cvss —epss 0.04
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
- CVE-2014-0489Nov 3, 2014risk 0.00cvss —epss 0.04
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
- CVE-2014-0488Nov 3, 2014risk 0.00cvss —epss 0.02
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
- CVE-2014-0487Nov 3, 2014risk 0.00cvss —epss 0.02
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
- CVE-2014-3615Nov 1, 2014risk 0.00cvss —epss 0.00
The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.
- CVE-2014-3694Oct 29, 2014risk 0.00cvss —epss 0.02
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to…
- CVE-2014-5026Oct 20, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host…
- CVE-2014-5025Oct 20, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action.
- CVE-2014-3564Oct 20, 2014risk 0.00cvss —epss 0.04
Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line…
- CVE-2014-3686Oct 16, 2014risk 0.00cvss —epss 0.05
wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame.
- CVE-2014-7206Oct 15, 2014risk 0.00cvss —epss 0.00
The changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file.
- CVE-2014-1829Oct 15, 2014risk 0.00cvss —epss 0.02
Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.
- CVE-2014-5270Oct 10, 2014risk 0.00cvss —epss 0.01
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage…
- CVE-2014-7204Oct 7, 2014risk 0.00cvss —epss 0.04
jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a denial of service (infinite loop and CPU and disk consumption) via a crafted JavaScript file.
- CVE-2014-4510Oct 6, 2014risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in job.cc in apt-cacher-ng 0.7.26 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
- CVE-2014-6054Oct 6, 2014risk 0.00cvss —epss 0.06
The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier allows remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2)…
- CVE-2014-7155Oct 2, 2014risk 0.00cvss —epss 0.01
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1)…
- CVE-2014-7154Oct 2, 2014risk 0.00cvss —epss 0.01
Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors.
- CVE-2014-6055Sep 30, 2014risk 0.00cvss —epss 0.08
Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3)…
- CVE-2014-6051Sep 30, 2014risk 0.00cvss —epss 0.08
Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer…
- CVE-2014-6273Sep 30, 2014risk 0.00cvss —epss 0.02
Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and earlier allows man-in-the-middle attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted URL.
- CVE-2014-0484Sep 22, 2014risk 0.00cvss —epss 0.00
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."
- CVE-2014-3169Aug 27, 2014risk 0.00cvss —epss 0.03
Use-after-free vulnerability in core/dom/ContainerNode.cpp in the DOM implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging script execution that occurs…
- CVE-2014-3168Aug 27, 2014risk 0.00cvss —epss 0.02
Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper caching associated with animation.
- CVE-2014-0481Aug 26, 2014risk 0.00cvss —epss 0.02
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote…
- CVE-2014-3589Aug 25, 2014risk 0.00cvss —epss 0.04
PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.
- CVE-2014-5033Aug 19, 2014risk 0.00cvss —epss 0.00
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2)…
- CVE-2014-5266Aug 18, 2014risk 0.00cvss —epss 0.24
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a…
- CVE-2014-5265Aug 18, 2014risk 0.00cvss —epss 0.03
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU…
- CVE-2014-5240Aug 18, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.
- CVE-2014-5204Aug 18, 2014risk 0.00cvss —epss 0.02
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
- CVE-2014-4344Aug 14, 2014risk 0.00cvss —epss 0.07
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation…
- CVE-2014-4343Aug 14, 2014risk 0.00cvss —epss 0.06
Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute…
- CVE-2014-3167Aug 13, 2014risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.143 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
- CVE-2014-3166Aug 13, 2014risk 0.00cvss —epss 0.01
The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by…
- CVE-2014-3165Aug 13, 2014risk 0.00cvss —epss 0.02
Use-after-free vulnerability in modules/websockets/WorkerThreadableWebSocketChannel.cpp in the Web Sockets implementation in Blink, as used in Google Chrome before 36.0.1985.143, allows remote attackers to cause a denial of service or possibly have unspecified other impact via…
- CVE-2014-0479Aug 6, 2014risk 0.00cvss —epss 0.03
reportbug before 6.4.4+deb7u1 and 6.5.x before 6.5.0+nmu1 allows remote attackers to execute arbitrary commands via vectors related to compare_versions and reportbug/checkversions.py.
- CVE-2014-3534Aug 1, 2014risk 0.00cvss —epss 0.00
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently…
- CVE-2014-1557Jul 23, 2014risk 0.00cvss —epss 0.05
The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function execution, which allows remote attackers to execute arbitrary code…
- CVE-2014-4911Jul 22, 2014risk 0.00cvss —epss 0.02
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.
- CVE-2014-4342Jul 20, 2014risk 0.00cvss —epss 0.07
MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session.
- CVE-2014-4341Jul 20, 2014risk 0.00cvss —epss 0.07
MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.
- CVE-2014-3162Jul 20, 2014risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.125 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
- CVE-2014-3160Jul 20, 2014risk 0.00cvss —epss 0.01
The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a…
- CVE-2014-4943Jul 19, 2014risk 0.00cvss —epss 0.02
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.
- CVE-2014-3533Jul 19, 2014risk 0.00cvss —epss 0.00
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.
- CVE-2014-3532Jul 19, 2014risk 0.00cvss —epss 0.00
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum…
- CVE-2014-4260Jul 17, 2014risk 0.00cvss —epss 0.03
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
- CVE-2014-4258Jul 17, 2014risk 0.00cvss —epss 0.03
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC.
Page 52 of 67