F5 ARX Data Manager contains a SQL injection vulnerability

Overview F5 ARX Data Manager 3.0.0 - 3.1.0 contains a SQL injection vulnerability. Description CWE-89: Improper Neutralization of Special Elements used in an SQL Command F5 ARX Data Manager 3.0.0 - 3.1.0 contains an unspecified SQL injection vulnerability. --- Impact A remote authenticated attack...

Symantec Web Gateway contains SQL injection and cross-site scripting vulnerabilities

Overview Symantec Web Gateway 5.1.1.24, and possibly earlier versions, contains cross-site scripting and SQL injection vulnerabilities. Description CVE-2014-1652 -CWE-79: Improper Neutralization of Input During Web Page Generation Symantec Web Gateway 5.1.1.24, and possibly earlier versions,...

Cisco AsyncOS contains a reflected cross-site scripting (XSS) vulnerability

Overview Cisco AsyncOS contains a reflected cross-site scripting XSS vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' - CVE-2014-3289 Cisco AsyncOS, the underlying OS for the Cisco Email Security Appliance, Web Security Applianc...

Unauthorized modification of UEFI variables in UEFI systems

Overview Certain firmware implementations may not correctly protect and validate information contained in certain UEFI variables. Exploitation of such vulnerabilities could potentially lead to bypass of security features and/or denial of service for the platform. Description As discussed in recen...

OpenSSL is vulnerable to a man-in-the-middle attack

Overview OpenSSL is vulnerable to a man-in-the-middle attack. Description The OpenSSL security advisory states:SSL/TLS MITM vulnerability CVE-2014-0224 =========================================== An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL...

Huawei E303 contains a cross-site request forgery vulnerability

Overview The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability. Description Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages usi...

Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability

Overview Dell ML6000 and Quantum Scalar i500 tape backup system contain a command injection vulnerability. Description CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection'Dell's and Quantum's advisories state the following: The tape library's remote use...

Alfresco Enterprise contains multiple cross-site scripting vulnerabilities

Overview Alfresco Enterprise 4.1.6 and possibly earlier versions are vulnerable to multiple cross-site scripting XSS vulnerabilities. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' Alfresco Enterprise is vulnerable to a stored cross-site...

Bizagi BPM Suite contains multiple vulnerabilities

Overview Bizagi BPM Suite contains a reflected cross-site scripting vulnerability and a SQL injection vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' - CVE-2014-2947According to Open-Sec consultant Mauricio Urizar, all versions...

Microsoft Internet Explorer 8 CMarkup use-after-free vulnerability

Overview Microsoft Internet Explorer 8 contains a use-after-free vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Microsoft Internet Explorer 8 contains a use-after-free vulnerability. This can allow for arbitrary code...

Hanvon facial recognition (Face ID) devices do not authenticate commands

Overview Hanvon facial recognition Face ID devices possibly running software versions prior to 1.007.110 could allow an unauthenticated attacker to modify user and access control information. Description CWE-306: Missing Authentication for Critical FunctionIt has been reported that Hanvon biometr...

Juniper ScreenOS is vulnerable to a denial of service from malformed SSL packets

Overview Juniper ScreenOS 6.3, and possibly earlier versions, is vulnerable to a denial of service from malformed SSL packets. Description Juniper ScreenOS 6.3, and possibly earlier versions, is vulnerable to a denial of service from malformed SSL packets. Additional details may be found in Junip...

Fortinet Fortiweb 5.1 contains a cross-site request forgery vulnerability

Overview Fortinet Fortiweb prior to version 5.2.0 do not sufficiently verify whether a valid request was intentionally provided by the user, which results in a cross-site request forgery CSRF vulnerability. CWE-352 Description CWE-352: Cross-Site Request Forgery CSRF Fortinet Fortiweb prior to...

Caldera 9.20 contains multiple vulnerabilities

Overview Caldera 9.20, and possibly earlier versions, contains multiple vulnerabilities. Description CWE-22 - Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' - CVE-2014-2933Caldera 9.20 and possibly earlier versions contains a path traversal vulnerability due to the...

Google Search Appliance dynamic navigation cross-site scripting vulnerability

Overview Google Search Appliance GSA devices contain a cross-site scripting XSS vulnerability when dynamic navigation is enabled. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' Google Search Appliance versions earlier than 7.2.0.G.114 and...

Ignite Realtime Smack XMPP API contains multiple vulnerabilities

Overview Ignite Realtime's Smack XMPP API ServerTrustManger trusts unauthorized SSL certificates CWE-358 and IQ requests do not verify the from attribute allowing anyone to spoof IQ responses. CWE-345 Description CWE-358:Improperly Implemented Security Check for Standard- CVE-2014-0363 The...

Microsoft Internet Explorer CMarkup use-after-free vulnerability

Overview Microsoft Internet Explorer contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Microsoft Internet Explorer contains a use-after-free vulnerability. This can allow for arbitrary code...

Apache Struts2 ClassLoader allows access to class properties via request parameters

Overview Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters Description Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameter...

POCO C++ Libraries NetSSL library fails to properly validate wildcard certificates

Overview The POCO C++ Libraries NetSSL library fails to properly validate wildcard certificates, allowing an attacker to trick the victim application into trusting a malicious certificate. Description CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action Guenter Obiltschnig o...

IBM Notes and Domino on x86 Linux specify an executable stack

Overview IBM Notes and Domino on x86 Linux are incorrectly built requesting an executable stack. This can make it easier for attackers to exploit vulnerabilities in Notes, Domino, and any of the child processes that they may spawn. Description The build environment for the x86 Linux versions of I...

Toshiba Global Commerce Solutions' 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed

Overview Toshiba Global Commerce Solutions' 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed. CWE-328 Description Toshiba Global Commerce Solutions' 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed. CWE-32...

Openfire contains an uncontrolled resource consumption vulnerability

Overview Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption CWE-400 vulnerability when using XMPP DEFLATE message compression. Description Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption CWE-400 vulnerability...

PaperThin CommonSpot CMS contains multiple vulnerabilities

Overview PaperThin CommonSpot contains multiple vulnerabilities, which may allow an unauthenticated remote attacker to execute arbitrary code on the server. Description PaperThin CommonSpot is a content management system CMS that is based on Adobe ColdFusion. CommonSpot is composed of over 3000...

Xangati software release contains relative path traversal and command injection vulnerabilities

Overview Xangati's software release contains relative path traversal CWE-23 and command injection CWE-78 vulnerabilities. Description Xangati's software release contains relative path traversal CWE-23 and command injection CWE-78 vulnerabilities.CWE-23: Relative Path Traversal -CVE-2014-0358 The...

Artiva Agency Single Sign-On (SSO) feature vulnerability

Overview Artiva Agency Single Sign-On SSO feature checks only the local Windows login name which could allow an attacker to impersonate another Artiva Agency user. Description Artiva Agency Single Sign-On SSO feature when configured with the domain name option allows the currently logged on Windo...

AMTELCO miSecureMessages Server insecurely authenticates clients

Overview AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages CWE-287. Description AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages. miSecureMessages authenticates client app XML requests for...

Fortinet FortiADC D-series contains a cross-site scripting vulnerability

Overview Fortinet FortiADC D-series 3.2.0, and possibly earlier versions, contains a cross-site scripting vulnerability. CWE-79 Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' Fortinet FortiADC D-series 3.2.0, and possibly earlier versions,...

ZyXEL Wireless N300 NetUSB Router NBG-419N devices contain multiple vulnerabilities

Overview ZyXEL Wireless N300 NetUSB Router NBG-419N running firmware version 1.00BFQ.6C0, and possibly earlier versions, is susceptible to multiple vulnerabilities. Other device models that use similar firmware may also be vulnerable. Description ZyXEL Wireless N300 NetUSB Router NBG-419N running...

PivotX 2.3.8 contains multiple vulnerabilities

Overview PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting CWE-79 and unsafe file upload CWE-434 vulnerabilities. Description PivotX 2.3.8, and possibly earlier versions, contains cross-site scripting CWE-79 and unsafe file upload CWE-434 vulnerabilities.CWE-79: Improper...

Microsoft Office file format converter memory corruption vulnerability

Overview The Microsoft Office file format converter contains a memory corruption vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user. Description Microsoft Office file format converter is a component that converts legacy...

J2k-Codec contains multiple exploitable vulnerabilities

Overview J2k-Codec contains multiple exploitable vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description J2k-Codec is a JPEG 2000 decoding library for Windows. J2k-Codec contains multiple exploitable exploitable...

OpenSSL TLS heartbeat extension read overflow discloses sensitive information

Overview OpenSSL 1.0.1 and 1.0.2 beta contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed." Description OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2 beta through 1.0.2-beta1 contain a flaw in its...

Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability

Overview Websense Triton Unified Security Center 7.7.3 and possibly earlier versions contains an information disclosure vulnerability which could allow an authenticated attacker to view stored credentials of a possibly higher privileged user. Description CWE-200: Information ExposureWhen logged...

Huawei Echo Life HG8247 optical router XSS vulnerability

Overview Huawei Echo Life HG8247 optical router contains a stored cross-site scripting XSS vulnerability Description It has been reported that Huawei Echo Life HG8247 optical routers running software version V1R006C00S120 or earlier contain a stored cross-site scripting XSS vulnerability. An...

Zyxel P660 series modem/router denial of service vulnerability

Overview Zyxel P660 series modem/router contains a denial of service vulnerability when parsing a high volume of SYN packets on the web management interface. Description It has been reported that Zyxel P660 series modem/router and possibly other models which share the same core firmware fail to...

Pearson eSIS Enterprise Student Information System XSS vulnerability

Overview Pearson eSIS Enterprise Student Information System contains a XSS vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'Pearson eSIS Enterprise Student Information System contains a reflected cross-site scripting vulnerabilit...

ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities

Overview ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities. Description CWE-472: External Control of Assumed-Immutable Web ParameterIt has been reported that the 'Properties.do?name=' module is vulnerable to an ‘unauthorized function call’ caused by server failing to...

Virtual Access GW6110A router privilege escalation vulnerability

Overview Virtual Access GW6110A routers contain a privilege escalation vulnerability which could allow an authenticated user to escalate their privileges. Description CWE-472: External Control of Assumed-Immutable Web ParameterVirtual Access GW6110A routers contain a privilege escalation...

Webmin contains a cross-site scripting vulnerability

Overview Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in...

WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability

Overview WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' WatchGuard Fireware XTM 11.8.1 contains a cross-site scripting vulnerabilit...

Aker Secure Mail Gateway reflected XSS vulnerability

Overview Aker Secure Mail Gateway 2.5.2 and previous versions contain a reflected cross-site scripting vulnerability. CWE-79 Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' - CVE-2013-6037Aker Secure Mail Gateway 2.5.2 and previous versions...

Huawei E355 contains a direct request vulnerability

Overview Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. CWE-425 Description Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request...

Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities

Overview Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities. Description Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting...

ZTE F460/F660 cable modems contain an unauthenticated backdoor

Overview ZTE F460/F660 cable modems contain an unauthenticated backdoor. Description ZTE F460/F660 cable modems contain an unauthenticated backdoor. The webshellcmd.gch script accepts unauthenticated commands that have administrative access to the device. It has been reported that the...

Foscam IP camera authentication bypass vulnerability

Overview The FI8910W Foscam IP camera running firmware version 11.37.2.54 fails to properly authenticate users. Description CWE-592: Authentication Bypass Issues - CVE-2014-1911The FI8910W Foscam IP camera running firmware version 11.37.2.54 contains a vulnerability which allows an unauthenticate...

CMS Made Simple contains multiple cross-site scripting vulnerabilities

Overview CMS Made Simple contains multiple cross-site scripting vulnerabilities Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' - CVE-2014-0334The files: cmsmadesimple/admin/addgroup.php on line 107 contains a post-authentication reflected XS...

Blue Coat ProxySG local user changes contain a time and state vulnerability

Overview Changes to Blue Coat ProxySG local users do not take effect immediately, giving an attacker with known credentials a window of opportunity to use those credentials even if the user was deleted or the password was changed. CWE-361 Description Blue Coat Security Advisory SA77 states:SGOS...

Synology DiskStation Manager VPN module hard-coded password vulnerability

Overview Synology DiskStation Manager VPN module contains a hard-coded password which cannot be changed. Description Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed. According to...

libpng denial-of-service vulnerability

Overview libpng versions 1.6.0 through 1.6.9 contain a denial-of-service vulnerability. Description CWE-835: Loop with Unreachable Exit Condition 'Infinite Loop' - CVE-2014-0333Glenn Randers Pehrson of the PNG Development Group reports: The progressive decoder in libpng16 enters an infinite loop,...

Microsoft XMLDOM ActiveX control information disclosure vulnerability

Overview The Microsoft XMLDOM ActiveX control can be used to check for the presence of multiple resources, which can result in unintended information disclosure. Description Microsoft.XMLDOM is an ActiveX control that can run in Internet Explorer without requiring any prompting to the user. This...