{"reporter": "NVD", "enchantments": {"vulnersScore": 7.5}, "published": "2014-04-15T19:13:17", "cvelist": ["CVE-2014-2864"], "title": "CVE-2014-2864", "objectVersion": "1.2", "type": "cve", "hash": "08ee40a52528951228a358b066949f7ff2d6c3bb8f4f3b8f96c9738f4df76c94", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2864", "bulletinFamily": "NVD", "id": "CVE-2014-2864", "history": [], "scanner": [], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "modified": "2014-04-16T10:18:06", "viewCount": 0, "cpe": ["cpe:/a:paperthin:commonspot_content_server:8.0.2", "cpe:/a:paperthin:commonspot_content_server:8.0.0", "cpe:/a:paperthin:commonspot_content_server:8.0.1", "cpe:/a:paperthin:commonspot_content_server:7.0.1"], "edition": 1, "description": "Multiple directory traversal vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to have an unspecified impact via a filename parameter containing directory traversal sequences.", "references": ["http://www.kb.cert.org/vuls/id/437385"], "lastseen": "2016-09-03T20:19:58", "assessment": {"system": "", "name": "", "href": ""}}

{"result": {"nessus": [{"id": "COMMONSPOT_7_0_2.NASL", "type": "nessus", "title": "CommonSpot < 7.0.2 / 8.0.3 / 9.0.0 Multiple Vulnerabilities", "description": "According to its version number, the CommonSpot install hosted on the remote web server is affected by multiple vulnerabilities :\n\n - An access restriction bypass via a direct request.\n (CVE-2014-2859)\n\n - Multiple cross-site scripting (XSS) vulnerabilities.\n (CVE-2014-2860, CVE-2014-2861)\n\n - Improper authorization checks in unspecified requests can allow a remote, unauthenticated attacker to perform unauthorized actions. (CVE-2014-2862)\n\n - Multiple path traversal vulnerabilities allow remote, unauthenticated attackers to request full pathnames in parameters. (CVE-2014-2863)\n\n - Multiple directory traversal vulnerabilities.\n (CVE-2014-2864)\n\n - The application fails to restrict the use of a NULL byte, which can be used to bypass access restrictions.\n (CVE-2014-2865)\n\n - The application uses client JavaScript code for access restrictions, which can be bypassed with attacker- controlled JavaScript. (CVE-2014-2866)\n\n - Unrestricted file uploads could allow for dangerous file types to be added to the server. (CVE-2014-2867)\n\n - Multiple pages allow a remote attacker to override ColdFusion variables via HTTP GET requests.\n (CVE-2014-2868)\n\n - Multiple pages allow for information disclosure.\n (CVE-2014-2869)\n\n - The application stores credentials in plaintext in the underlying application database by default.\n (CVE-2014-2870)\n\n - The application transmits credentials in cleartext via HTTP. (CVE-2014-2871)\n\n - Multiple directory listings allow for potential access to sensitive information. (CVE-2014-2872)\n\n - The application allows unauthenticated access to log files allowing for information disclosure.\n (CVE-2014-2873)\n\n - The application allows remote, unauthenticated attackers to execute arbitrary commands with arbitrary parameters.\n (CVE-2014-2874)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "published": "2014-04-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=73611", "cvelist": ["CVE-2014-2863", "CVE-2014-2860", "CVE-2014-2867", "CVE-2014-2871", "CVE-2014-2866", "CVE-2014-2859", "CVE-2014-2862", "CVE-2014-2869", "CVE-2014-2864", "CVE-2014-2870", "CVE-2014-2872", "CVE-2014-2868", "CVE-2014-2873", "CVE-2014-2861", "CVE-2014-2874", "CVE-2014-2865"], "lastseen": "2018-06-14T07:39:34"}]}}