IBM Algo One Algo多个安全漏洞

CVE ID:CVE-2013-6299、CVE-2013-6300、CVE-2013-6301、CVE-2013-6302、CVE-2013-6303、CVE-2013-6318、CVE-2013-6319、CVE-2013-6320、CVE-2013-6331、CVE-2013-6333 IBM Algo One是一个风险管理软件解决方案。 IBM Algo One存在多个安全漏洞： 1，应用程序不正确校验用户权限，允许攻击者利用漏洞获取受限内容。 2，存在多个跨站脚本漏洞，允许攻击者构建恶意URI，诱使用户解析，可获得敏感Cookie，劫持会话或在客户端上进行恶意操作。...

Ganesha Digital Library Multiple Vulnerabilities

Ganesha Digital Library is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Framework: XML External Entity (XXE) injection flaw

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in...

CVE-2013-1904

Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the value parameter for the genericmessagefooter setting in a save-perf action to index.php, as exploite...

VulnCheck KEV: CVE-2013-1904

Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the value parameter for the genericmessagefooter setting in a save-perf action to index.php, as...

GLSA-201402-07 : Freeciv: User-assisted execution of arbitrary code

The remote host is affected by the vulnerability described in GLSA-201402-07 Freeciv: User-assisted execution of arbitrary code The Lua component of Freeciv does not restrict which modules may be loaded by scenario scripts. Impact : A remote attacker could entice a user to open a specially crafte...

CVE-2014-1626

XML External Entity XXE vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file...

CVE-2014-1626

CVE-2014-1626 affects the MARC::File::XML component of MARC-XML for Perl, before version 1.0.2, as used by Evergreen, Koha, and perl4lib. The vulnerability is an XML External Entity (XXE) issue that allows a context-dependent attacker to read arbitrary files via a crafted XML input. Public refere...

DEBIAN-CVE-2013-7315

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB,...

Design/Logic Flaw

The image creation configuration in aaabase before 16.26.1 for openSUSE 13.1 KDE adds the root user to the "users" group when installing from a live image, which allows local users to obtain sensitive information and possibly have other unspecified impacts, as demonstrated by reading /etc/shadow...

MGASA-2014-0004 Updated librsvg and gtk+3.0 packages fix security vulnerability

librsvg before version 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference CVE-2013-1881. gtk+3.0 has been patched to cope with the changes in SVG loading due to the fix in librsvg...

CVE-2013-4069

IBM SPSS Collaboration and Deployment Services is affected by CVE-2013-4069. The Deployment Portal mishandles XML external entities, enabling remote attackers to read arbitrary files via an XML external entity declaration with an entity reference. Affected versions: 4.2.1 before 4.2.1.3 IF3 and 5...

CVE-2013-6708

Cisco Cloud Portal 9.4 contains an unauthenticated file download flaw where an attacker can read files via direct browser request due to insufficient access controls. The issue is documented in CVE-2013-6708 and Cisco’s advisory (Cisco-SA-20131209-CVE-2013-6708). Affected component is the web int...

CVE-2013-6397

Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. dot dot or full pathname in the tr parameter to solr/select/, when the response writer wt parameter is set to XSLT. NOTE: this can be leveraged using a separa...

CVE-2013-6000

Directory traversal vulnerability in Tattyan HP TOWN before 5101 allows remote attackers to read arbitrary files via a .. dot dot in a request...

CVE-2013-6312

CVE-2013-6312 affects IBM Rational Service Tester (8.3.x and 8.5.x before 8.5.1) and Rational Performance Tester (8.3.x and 8.5.x before 8.5.1). The vulnerability path allows remote attackers to read arbitrary files via unknown vectors. IBM notes the vulnerability exists in these products on all ...

CVE-2013-5688

CVE-2013-5688 is a directory-traversal vulnerability in AjaXplorer (Ajaxplorer) up to version 5.0.2. Remote authenticated users could read arbitrary files via a crafted parameter using a ../%00 sequence in file or dir arguments (download, get_content, or upload actions). The issue affects the ind...

StatusNetLaconica 0.7.40.8.20.9.0beta3 - Arbitrary File Reading

StatusNetLaconica 0.7.40.8.20.9.0beta3 - Arbitrary File Reading +-------------------------------------------------------------------------------+ + StatusNet/Laconica title = $this-trimmed'title'; $this-filename = INSTALLDIR.'/doc-src/'.$this-title; //1 if !fileexists$this-filename...

StatusNet/Laconica 0.7.4/0.8.2/0.9.0beta3 - Arbitrary File Reading

+-------------------------------------------------------------------------------+ + StatusNet/Laconica title = $this-trimmed'title'; $this-filename = INSTALLDIR.'/doc-src/'.$this-title; //1 if !fileexists$this-filename $this-clientError'No such document.'; return; $this-showPage;...

CVE-2013-3624

The OS deployment feature in Baramundi Management Suite 7.5 through 8.9 stores credentials in cleartext on deployed machines, which allows remote attackers to obtain sensitive information by reading a file. NOTE: this ID was also incorrectly mapped to a separate issue in Oracle Outside In, but th...