CVE-2014-4622

EMC Documentum Content Server is affected by multiple privilege-escalation vulnerabilities (CVE-2014-4622, CVE-2015-4531/4532/4533/4534/4535/4536) across versions prior to 6.7SP1 P32, 6.7SP2 P25, 7.0 P19, 7.1 P16, and 7.2 P02. The root cause involves improper authorization checks for subgroups wi...

Design/Logic Flaw

ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000...

CVE-2014-6232

Unspecified vulnerability in the LDAP euldap extension before 2.8.18 for TYPO3 allows remote authenticated users to obtain sensitive information via unknown vectors...

Katello: CLI - user without access can call "system remove_deletion" command

Katello allows remote authenticated users to call the "system removedeletion" CLI command via vectors related to "remove system" permissions...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in IBM Configuration Management Application aka VVC in IBM Rational Engineering Lifecycle Manager before 4.0.7 and 5.x before 5.0.1, Rational Software Architect Design Manager before 4.0.7 and 5.x before 5.0.1, and Rational Rhapsody Design Manager...

CVE-2014-6074

IBM UrbanCode Deploy 6.1.0.2 before IF1 allows remote authenticated users to read keystore secret keys via a direct request to a UI page...

Code injection

TorrentFlux 2.4 allows remote authenticated users to obtain other users' cookies via the cid parameter in an editCookies action to profile.php...

CVE-2014-6029

TorrentFlux 2.4 allows remote authenticated users to delete or modify other users' cookies via the cid parameter in an editCookies action to profile.php...

CVE-2014-6028

TorrentFlux 2.4 is affected by an auth-context leakage where the cid parameter in the editCookies action to profile.php can be exploited by remote authenticated users to obtain other users’ cookies. Affected component: profile.php (editCookies action) in TorrentFlux 2.4. Root cause: insecure hand...

CVE-2014-0863

The client in IBM Cognos TM1 9.5.2.3 before IF5, 10.1.1.2 before IF1, 10.2.0.2 before IF1, and 10.2.2.0 before IF1 stores obfuscated passwords in memory, which allows remote authenticated users to obtain sensitive cleartext information via an unspecified security tool...

CVE-2014-0863

The CVE-2014-0863 issue affects IBM Cognos TM1 components: 9.5.2.3 before IF5, 10.1.1.2 before IF1, 10.2.0.2 before IF1, and 10.2.2.0 before IF1. The root cause is that the client stores obfuscated passwords in memory, enabling remote authenticated users to retrieve cleartext information using a ...

UBUNTU-CVE-2014-5339

CheckMK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allows remote authenticated users to write checkmk config files .mk files to arbitrary locations via vectors related to row selections...

CVE-2014-3024

Cross-site request forgery CSRF vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of...

CVE-2014-3024

Cross-site request forgery CSRF vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of...

CVE-2014-3041

SQL injection vulnerability in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix 10, 10.0.0.x before 10.0.0.1 iFix 10, 10.0.1.x before 10.0.1.4, and 10.0.2.x before 10.0.2.2 iFix 2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors...

Design/Logic Flaw

IBM Emptoris Sourcing Portfolio 9.5.x before 9.5.1.3, 10.0.0.x before 10.0.0.1, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 and Emptoris Spend Analysis 9.5.x before 9.5.0.4, 10.0.1.x before 10.0.1.3, and 10.0.2.x before 10.0.2.4 do not properly restrict use of FRAME elements, which...

CVE-2014-0483

The administrative interface contrib.admin in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a tofield...

CVE-2014-5252

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...

PYSEC-2014-107

The MySQL token driver in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token...

DEBIAN-CVE-2014-5274

Cross-site scripting XSS vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js...