Monthly Archives: September 2014
SB14-258: Vulnerability Summary for the Week of September 8, 2014
Original release date: September 15, 2014
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
-
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
-
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
-
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
address_visualization_with_google_maps_project — address_visualization_with_google_maps | SQL injection vulnerability in the Address visualization with Google Maps (st_address_map) extension before 0.3.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2014-09-11 | 7.5 | CVE-2014-6239 BID |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555. | 2014-09-09 | 10.0 | CVE-2014-0547 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow remote attackers to bypass the Same Origin Policy via unspecified vectors. | 2014-09-09 | 7.5 | CVE-2014-0548 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555. | 2014-09-09 | 10.0 | CVE-2014-0549 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0551, CVE-2014-0552, and CVE-2014-0555. | 2014-09-09 | 10.0 | CVE-2014-0550 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0552, and CVE-2014-0555. | 2014-09-09 | 10.0 | CVE-2014-0551 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and CVE-2014-0555. | 2014-09-09 | 10.0 | CVE-2014-0552 |
adobe — adobe_air | Use-after-free vulnerability in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors. | 2014-09-09 | 10.0 | CVE-2014-0553 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to bypass intended access restrictions via unspecified vectors. | 2014-09-10 | 10.0 | CVE-2014-0554 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, and CVE-2014-0552. | 2014-09-09 | 10.0 | CVE-2014-0555 |
adobe — adobe_air | Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0559. | 2014-09-09 | 10.0 | CVE-2014-0556 |
adobe — adobe_air | Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors. | 2014-09-09 | 10.0 | CVE-2014-0557 |
adobe — adobe_air | Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0556. | 2014-09-09 | 10.0 | CVE-2014-0559 |
apache — tomcat | Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file. | 2014-09-11 | 7.5 | CVE-2013-4444 BUGTRAQ |
cisco — telepresence_system_software | Memory leak in Cisco TelePresence System Edge MXP Series Software F9.3.3 and earlier allows remote attackers to cause a denial of service (management outage) via multiple TELNET connections, aka Bug ID CSCuo63677. | 2014-09-11 | 7.8 | CVE-2014-3362 |
cwt_frontend_edit_project — cwt_frontend_edit | Unspecified vulnerability in the CWT Frontend Edit (cwt_feedit) extension before 1.2.5 for TYPO3 allows remote authenticated users to execute arbitrary code via unknown vectors. | 2014-09-11 | 7.5 | CVE-2014-6231 XF BID SECUNIA |
flat_manager_project — flat_manager | SQL injection vulnerability in the Flat Manager (flatmgr) extension before 2.7.10 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2014-09-11 | 7.5 | CVE-2014-6233 XF BID SECUNIA |
google — chrome | Use-after-free vulnerability in core/dom/Node.cpp in Blink, as used in Google Chrome before 37.0.2062.120, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of render-tree inconsistencies. | 2014-09-10 | 7.5 | CVE-2014-3178 CONFIRM CONFIRM |
google — chrome | Multiple unspecified vulnerabilities in Google Chrome before 37.0.2062.120 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | 2014-09-10 | 7.5 | CVE-2014-3179 CONFIRM CONFIRM CONFIRM CONFIRM |
hp — network_node_manager_i | Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-2264. | 2014-09-10 | 10.0 | CVE-2014-2624 HP |
ibm — san_volume_controller_software | IBM Storwize 3500, 3700, 5000, and 7000 devices and SAN Volume Controller 6.x and 7.x before 7.2.0.8 allow remote attackers to reset the administrator superuser password to its default value via a direct request to the administrative IP address. | 2014-09-11 | 7.5 | CVE-2014-4811 XF |
kennziffer — ke_dompdf | Unspecified vulnerability in the ke DomPDF extension before 0.0.5 for TYPO3 allows remote attackers to execute arbitrary code via unknown vectors. | 2014-09-11 | 7.5 | CVE-2014-6235 XF BID |
lumonet_php_include_project — lumonet_php_include | Unspecified vulnerability in the LumoNet PHP Include (lumophpinclude) extension before 1.2.1 for TYPO3 allows remote attackers to execute arbitrary scripts via vectors related to extension links. | 2014-09-11 | 7.5 | CVE-2014-6236 XF BID SECUNIA |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-2799 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4059 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4065 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4079 |
microsoft — internet_explorer | Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4089, CVE-2014-4091, and CVE-2014-4102. | 2014-09-09 | 9.3 | CVE-2014-4080 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4081 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.” | 2014-09-09 | 9.3 | CVE-2014-4082 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4083 |
microsoft — internet_explorer | Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4093. | 2014-09-09 | 9.3 | CVE-2014-4084 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4085 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.” | 2014-09-09 | 9.3 | CVE-2014-4086 |
microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4095, CVE-2014-4096, and CVE-2014-4101. | 2014-09-09 | 9.3 | CVE-2014-4087 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4088 |
microsoft — internet_explorer | Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4080, CVE-2014-4091, and CVE-2014-4102. | 2014-09-09 | 9.3 | CVE-2014-4089 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4090 |
microsoft — internet_explorer | Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4080, CVE-2014-4089, and CVE-2014-4102. | 2014-09-09 | 9.3 | CVE-2014-4091 |
microsoft — internet_explorer | Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4098. | 2014-09-09 | 9.3 | CVE-2014-4092 |
microsoft — internet_explorer | Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4084. | 2014-09-09 | 9.3 | CVE-2014-4093 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4094 |
microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4087, CVE-2014-4096, and CVE-2014-4101. | 2014-09-09 | 9.3 | CVE-2014-4095 |
microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4087, CVE-2014-4095, and CVE-2014-4101. | 2014-09-09 | 9.3 | CVE-2014-4096 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4097 |
microsoft — internet_explorer | Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4092. | 2014-09-09 | 9.3 | CVE-2014-4098 |
microsoft — internet_explorer | Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.” | 2014-09-09 | 9.3 | CVE-2014-4099 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4100 |
microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4087, CVE-2014-4095, and CVE-2014-4096. | 2014-09-09 | 9.3 | CVE-2014-4101 |
microsoft — internet_explorer | Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-4080, CVE-2014-4089, and CVE-2014-4091. | 2014-09-09 | 9.3 | CVE-2014-4102 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4103 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4104 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4105 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4106 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4107 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4108 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4110, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4109 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4111. | 2014-09-09 | 9.3 | CVE-2014-4110 |
microsoft — internet_explorer | Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4110. | 2014-09-09 | 9.3 | CVE-2014-4111 |
phpwiki — phpwiki | The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information. | 2014-09-11 | 7.5 | CVE-2014-5519 EXPLOIT-DB SECUNIA MLIST MLIST FULLDISC MISC OSVDB |
plogger — plogger | Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/. | 2014-09-11 | 7.5 | CVE-2014-2223 MISC EXPLOIT-DB MLIST MLIST MISC |
procmail — procmail | Heap-based buffer overflow in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted email header, related to “unbalanced quotes.” | 2014-09-08 | 7.5 | CVE-2014-3618 XF UBUNTU BID MLIST DEBIAN |
sensysnetworks — trafficdot | Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update. | 2014-09-05 | 7.6 | CVE-2014-2378 MISC |
wt_directory_project — wt_directory | SQL injection vulnerability in the wt_directory extension before 1.4.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2014-09-11 | 7.5 | CVE-2014-6241 XF BID SECUNIA |
Medium Vulnerabilities
Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
1800contacts — 1800contacts_app | The 1800CONTACTS App (aka com.contacts1800.ecomapp) application 2.7.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5601 MISC |
9gag — 9gag_-_funny_pics_and_videos | The 9GAG – Funny pics and videos (aka com.ninegag.android.app) application 2.4.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5669 MISC |
aceviral — angry_gran_toss | The Angry Gran Toss (aka com.aceviral.angrygrantoss) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5564 MISC |
adcolony — adcolony_library | The Adcolony library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5524 CERT-VN MISC |
adidas — honolulu | The Honolulu (aka adidas.jp.android.running.honolulu) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5532 MISC |
adiscon — loganalyzer | Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php. | 2014-09-11 | 4.3 | CVE-2014-6070 XF EXPLOIT-DB FULLDISC MISC |
adt-taxis — adt_taxis | The ADT Taxis (aka com.icabbi.adttaxisApp) application 6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5639 MISC |
akronymmanager_project — akronymmanager | Cross-site scripting (XSS) vulnerability in the Akronymmanager (aka SB Folderdownload) extension 0.5.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-11 | 4.3 | CVE-2014-6238 XF BID |
al_3azmi — ce4arab_market | The ce4arab market (aka com.dreamstep.wce4arabmarket) application 0.12.13093.40460 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5610 MISC |
americostech — selfshot_front_flash_camera | The Selfshot – Front Flash Camera (aka com.americos.selfshot) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5566 MISC |
amiscu — westmoreland_water_fcu | The Westmoreland Water FCU (aka air.com.creditunionhomebanking.mb115) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5538 CERT-VN MISC |
amiscu — michael_baker_federal_credit_union | The Michael Baker FCU (aka air.com.creditunionhomebanking.mb155) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5539 MISC |
androkera — las_vegas_lottery_scratch_off | The Las Vegas Lottery Scratch Off (aka com.androkera.lottery) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5568 MISC |
animoca — star_girl | The Star Girl (aka com.animoca.google.starGirl) application 3.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5569 MISC |
animoca — bunny_run | The Bunny Run (aka com.stargirlgames.google.bunnyrun) application 1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5707 MISC |
animoca — fashion_style | The Fashion Style (aka com.thirtysixyougames.google.starGirlSingapore) application 3.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5717 MISC |
anywherepad — anywhere_pad-meet,_collaborate | The Anywhere Pad-Meet, Collaborate (aka com.azeus.anywherepad) application 4.0.1031 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5579 MISC |
aol — dailyfinance_-_stocks_&_news | The DailyFinance – Stocks & News (aka com.aol.mobile.dailyFinance) application 2.0.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5570 MISC |
app_maker_ks — buy_books | The Buy Books (aka com.wBooksForSale) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5734 MISC |
appeak — poker | The Appeak Poker (aka com.appeak.poker) application 2.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5571 MISC |
appministry — princess_shopping | The Princess Shopping (aka air.android.PrincessShopping) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5534 MISC |
appsflyer — appsflyer | The Appsflyer library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5528 MISC |
appstros — appstros_-_free_gift_cards! | The Appstros – FREE Gift Cards! (aka com.appstros.main) application 1.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5573 MISC |
arris — touchstone_dg950a_software | The Arris Touchstone DG950A cable modem with software 7.10.131 has an SNMP community of public, which allows remote attackers to obtain sensitive password, key, and SSID information via an SNMP request. | 2014-09-05 | 5.0 | CVE-2014-4863 CERT-VN MISC |
ask.fm — ask.fm-social_q&a_network | The Ask.fm – Social Q&A Network (aka com.askfm) application 1.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5574 CERT-VN MISC |
avd-app — avd_download_video | The AVD Download Video (aka com.myboyfriendisageek.videocatcher.demo) application 3.3.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5666 MISC |
avira — avira_secure_backup | The Avira Secure Backup (aka com.avira.avirabackup) application 1.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5576 MISC |
avolvesoftware — projectdox | Cross-site scripting (XSS) vulnerability in Avolve Software ProjectDox 8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-11 | 4.3 | CVE-2014-5129 XF BUGTRAQ |
avon — avon_buy&sell | The AVON Buy & Sell (aka com.AVONBeautyntheRep) application 0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5577 MISC |
backgroundcheckprotool — backgroundcheckprotool | The BackgroundCheckProTool (aka com.BackgroundCheckProTool) application 3.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5580 MISC |
band — band_-group_sharing_&_planning | The BAND -Group sharing & planning (aka com.nhn.android.band) application 3.2.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5668 MISC |
bashgaming — bingo_bash_free_bingo_casino | The Bingo Bash – Free Bingo Casino (aka air.com.bitrhymes.bingo) application 1.31.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5536 CERT-VN CERT-VN MISC |
beenverified — background_check_beenverified | The Background Check BeenVerified (aka com.beenverified.android) application 4.01.67 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5584 MISC |
biat — biatnet | The BIATNET (aka com.biatnet.mobile) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5586 MISC |
biggame — brokenscreencrank | The brokenscreencrank (aka com.biggame.brokenscreencrank) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5587 MISC |
blackbeltstudio — most_popular_ringtones | The Most Popular Ringtones (aka com.bbs.mostpopularringtones) application 32 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5583 MISC |
bmfapps — free_ebooks | The Free eBooks (aka com.bmfapps.freekindlebooks) application 14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5588 MISC |
btwgames — snake_evolution | The Snake Evolution (aka com.btwgames.snake) application 1.3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5590 MISC |
ca_lottery_results_project — ca_lottery_results | The CA Lottery Results (aka com.matcho0.calotto) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5657 MISC |
cacheguard — cacheguardos | Cross-site request forgery (CSRF) vulnerability in gui/password-wadmin.apl in CacheGuard OS 5.7.7 allows remote attackers to hijack the authentication of arbitrary users. | 2014-09-10 | 6.8 | CVE-2014-4865 CERT-VN |
casinogame — video_poker_casino | The Video Poker Casino (aka com.geaxgame.videopoker) application 1.0.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5631 MISC |
chewysoftware — abduction_stacker_free | The Abduction Stacker Free (aka air.com.chewygames.abductionstacker2) application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5537 MISC |
choiceoflove — free_dating_heart_col | The Free Dating Heart COL (aka com.choiceoflove.dating) application 2.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5592 MISC |
christiancafe — christian_dating_cafe | The Christian Dating Cafe (aka com.christiancafe.mobile.android) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5593 MISC CERT-VN |
cibc — cibc_mobile_banking | The CIBC Mobile Banking (aka com.cibc.android.mobi) application 3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5594 MISC |
cisco — cli | The CLI in Cisco IOS XR allows remote authenticated users to obtain sensitive information via unspecified commands, aka Bug IDs CSCuq42336, CSCuq76853, CSCuq76873, and CSCuq45383. | 2014-09-11 | 4.0 | CVE-2014-3342 |
cisco — ios_xr | Cisco IOS XR 5.1 allows remote attackers to cause a denial of service (DHCPv6 daemon crash) via a malformed DHCPv6 packet, aka Bug ID CSCuo59052. | 2014-09-10 | 4.3 | CVE-2014-3343 |
cisco — integrated_management_controller | The SSH module in the Integrated Management Controller (IMC) before 2.3.1 in Cisco Unified Computing System on E-Series blade servers allows remote attackers to cause a denial of service (IMC hang) via a crafted SSH packet, aka Bug ID CSCuo69206. | 2014-09-10 | 5.0 | CVE-2014-3348 |
cmcm — cm_backup_-restore,cloud,photo | The CM Backup -Restore,Cloud,Photo (aka com.ijinshan.kbackup) application 1.1.0.135 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5640 MISC |
cmcm — cm_browser_-_fast_&_secure | The CM Browser – Fast & Secure (aka com.ksmobile.cb) application 5.0.50 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5655 MISC |
coles_credit_cards — coles_credit_card_app | The Coles Credit Card App (aka au.com.colesfinancialservices.mobile) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5562 MISC |
commerce — america’s_economy_for_phone | The America’s Economy for Phone (aka air.gov.census.mobile.phone.americaseconomy) application 1.5.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5557 MISC |
createdineden — buy_yorkshire_conference | The Buy Yorkshire Conference (aka com.gotfocus.buyyorkshire) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5635 MISC |
cubettechnologies — cloud_manager | The Cloud Manager (aka com.ileaf.cloud_manager) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5641 MISC |
deskroll — deskroll_remote_desktop | The DeskRoll Remote Desktop (aka com.deskroll.client1) application 0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5603 MISC |
devarai — word_search_free | The Word Search Free (aka air.wordSearchFree) application 4.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5561 MISC |
differencegames — hidden_memory_-_aladdin_free! | The Hidden Memory – Aladdin FREE! (aka air.com.differencegames.hmaladdinfree) application 1.0.31 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5541 MISC |
differencegames — hidden_object_-_alice_free | The Hidden Object – Alice Free (aka air.com.differencegames.hovisionsofalicefree) application 1.0.17 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5543 MISC |
digimobistudio — qq_copy | The QQ Copy (aka com.digimobistudio.qqcopy) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5605 MISC |
dish — dish_anywhere | The DISH Anywhere (aka com.sm.SlingGuide.Dish) application 3.5.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5704 MISC |
disney — where’s_my_perry?_free | The Where’s My Perry? Free (aka com.disney.WMPLite) application 1.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5606 MISC |
disney — where’s_my_water?_free | The Where’s My Water? Free (aka com.disney.WMWLite) application 1.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5607 MISC |
djinnworks — line_runner_(free) | The Line Runner (Free) (aka com.djinnworks.linerunnerfree) application 4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5608 MISC |
djinnworks — stickman_ski_racer | The Stickman Ski Racer (aka com.djinnworks.StickmanSkiRacer.free) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5609 MISC |
domino_labs — like4like:get_instagram_likes | The Like4Like: Get Instagram Likes (aka com.bepop.bepop) application 2.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5585 CERT-VN MISC |
dressup — dress_up!_girl_party | The Dress Up! Girl Party (aka com.sgn.DressUp.GirlParty) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5697 MISC |
ebay-kleinanzeigen — ebay_kleinanzeigen_for_germany | The eBay Kleinanzeigen for Germany (aka com.ebay.kleinanzeigen) application 5.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5611 MISC |
elokence — akinator_the_genie_free | The Akinator the Genie FREE (aka com.digidust.elokence.akinator.freemium) application 2.46 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5604 MISC CERT-VN |
emurasoft — emftp_professional | Emurasoft EmFTP allows local users to gain privileges via a Trojan horse executable file that is launched during an attempt to read a similarly named file that lacks a filename extension. | 2014-09-05 | 4.4 | CVE-2014-3910 JVNDB JVN MISC |
enigmail — enigmail | Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network. | 2014-09-08 | 4.3 | CVE-2014-5369 MLIST MLIST CONFIRM SECUNIA SECUNIA SUSE |
entertailion — able_remote | The Able Remote (aka com.entertailion.android.remote) application 2.3.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5613 MISC |
etoolkit — love_collage_-_photo_editor | The Love Collage – Photo Editor (aka com.etoolkit.lovecollage) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5614 MISC |
exsoul-browser — exsoul_web_browser | The Exsoul Web Browser (aka com.exsoul) application 3.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5617 MISC |
falconsc — wisepoint | Session fixation vulnerability in Falcon WisePoint 4.1.19.7 and earlier allows remote attackers to hijack web sessions via unspecified vectors. | 2014-09-05 | 6.8 | CVE-2014-3909 JVNDB |
familyconnect_project — familyconnect | The familyconnect (aka com.comcast.plaxo.familyconnect.app) application 1.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5600 MISC |
fiksu — fiksu | The Fiksu library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5814 MISC |
fingersoft — cartoon_camera | The Cartoon Camera (aka com.fingersoft.cartooncamera) application 1.2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5618 MISC |
flane — cisco_class_locator_fast_lane | The Cisco Class Locator Fast Lane (aka com.tabletkings.mycompany.fastlane.cisco) application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5710 MISC |
flickatrade — flick_a_trade | The Flick a Trade (aka air.com.cygnecode.fat) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5540 CERT-VN MISC |
fluik — office_jerk_free | The Office Jerk Free (aka com.fluik.OfficeJerkFree) application 1.7.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5620 MISC |
fluik — office_zombie | The Office Zombie (aka com.fluik.OfficeZombieGoogleFree) application 1.3.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5621 MISC |
flurry — flurry-analytics-android | The Flurry library before 3.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-6024 MISC MISC |
flyfishing-and-flytying — fly_fishing_&_fly_tying | The Fly Fishing & Fly Tying (aka air.com.yudu.ReaderAIR3209899) application 3.21.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5556 MISC |
fortinet — fortios | The FortiManager protocol service in Fortinet FortiOS before 4.3.16 and 5.x before 5.0.8 on FortiGate devices does not prevent use of anonymous ciphersuites, which makes it easier for man-in-the-middle attackers to obtain sensitive information or interfere with communications by modifying the client-server data stream. | 2014-09-10 | 5.4 | CVE-2014-0351 |
franklychat — frankly_chat | The Frankly Chat (aka com.chatfrankly.android) application 3.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5591 CERT-VN CERT-VN MISC |
freshplanet — songpop | The SongPop (aka air.com.freshplanet.games.WaM) application 1.21.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5544 MISC |
fungames-forfree — sniper_shooter_free_-_fun_game | The Sniper Shooter Free – Fun Game (aka com.fungamesforfree.snipershooter.free) application 2.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5624 MISC |
gadgettrak — gadgettrak_mobile_security | The GadgetTrak Mobile Security (aka com.activetrak.android.app) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5565 MISC |
gamegou — perfect_kick | The Perfect Kick (aka com.gamegou.PerfectKick.google) application 1.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5625 MISC |
gameinfo — best_racing/moto_games_ranking | The Best Racing/moto Games Ranking (aka com.subapp.android.racing) application 2.2.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5708 MISC |
gameloft — gameloft_library | The Gameloft library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5529 CERT-VN MISC |
gameloft — brothers_in_arms_2_free+ | The Brothers In Arms 2 Free+ (aka com.gameloft.android.ANMP.GloftB2HM) application 1.2.0b for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5626 MISC |
gameloft — ice_age_village | The Ice Age Village (aka com.gameloft.android.ANMP.GloftIAHM) application 2.8.0m for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5627 MISC |
gameloft — wonder_zoo_-_animal_rescue_! | The Wonder Zoo – Animal rescue ! (aka com.gameloft.android.ANMP.GloftZRHM) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5628 MISC |
gameresort — stupid_zombies | The Stupid Zombies (aka com.gameresort.stupidzombies) application 1.12 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5629 MISC |
gcspublishing — home_repair | The Home Repair (aka com.gcspublishing.houserepairtalk) application 3.7.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5630 MISC |
getsetgames — mega_jump | The Mega Jump (aka com.getsetgames.megajump) application @7F080002 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5632 MISC |
girlgame — baby_get_up_-_kids_care | The Baby Get Up – Kids Care (aka air.brown.jordansa.getup) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5535 MISC |
girlsgames123 — kiss_kiss_office | The Kiss Kiss Office (aka com.girlsgames123.kisskissoffice) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5633 MISC |
gmarket — gmarket | The Gmarket (aka com.ebay.kr.gmarket) application 5.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5612 MISC |
go-text — text_me!_free_texting_&_call | The Text Me! Free Texting & Call (aka com.textmeinc.textme) application 2.5.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5714 MISC |
goabode — abode | The Abode (aka abode.webview) application 1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5531 MISC |
google_sitemap_project — google_sitemap | Cross-site scripting (XSS) vulnerability in the Google Sitemap (weeaar_googlesitemap) extension 0.4.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-11 | 4.3 | CVE-2014-6240 BID |
granita — cloud_browser | The Cloud Browser (aka com.granitamalta.cloudbrowser) application 2.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5636 MISC |
group-office — groupoffice | SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter. | 2014-09-11 | 6.5 | CVE-2012-4240 XF BID MISC EXPLOIT-DB OSVDB BUGTRAQ |
hasb_e_haal_project — hasb_e_haal | The hasb_e_haal (aka com.anawaz.hasb_e_haal) application 1.0.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5567 MISC |
home_shopping_apps — buy_a_gift | The Buy A Gift (aka com.wBuyAGift) application 13529.90084 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5735 MISC |
huntington — huntington_mobile | The Huntington Mobile (aka com.huntington.m) application 2.1.222 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5638 MISC |
ibm — cognos_tm1 | IBM Cognos TM1 10.2.0.2 before IF1 and 10.2.2.0 before IF1 allows remote attackers to bypass intended access restrictions by visiting the Rights page and then following a generated link. | 2014-09-05 | 5.0 | CVE-2014-0877 XF |
ibm — rational_license_key_server | The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | 2014-09-10 | 5.0 | CVE-2014-0909 |
ibm — rational_engineering_lifecycle_manager | Cross-site request forgery (CSRF) vulnerability in IBM Configuration Management Application (aka VVC) in IBM Rational Engineering Lifecycle Manager before 4.0.7 and 5.x before 5.0.1, Rational Software Architect Design Manager before 4.0.7 and 5.x before 5.0.1, and Rational Rhapsody Design Manager before 4.0.7 and 5.x before 5.0.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 2014-09-10 | 6.0 | CVE-2014-3037 |
ibm — rational_doors_next_generation | IBM Jazz Team Server, as used in Rational Collaborative Lifecycle Management; Rational Quality Manager 3.x before 3.0.1.6 iFix 3, 4.x before 4.0.7, and 5.x before 5.0.1; and other Rational products, does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | 2014-09-11 | 5.0 | CVE-2014-3092 XF |
ibm — initiate_master_data_service | Cross-site request forgery (CSRF) vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 2014-09-10 | 6.8 | CVE-2014-4783 XF |
ibm — initiate_master_data_service | IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does not properly restrict use of FRAME elements, which allows remote attackers to conduct phishing attacks, and bypass intended access restrictions or obtain sensitive information, via a crafted web site, related to a “frame injection” issue. | 2014-09-10 | 4.3 | CVE-2014-4784 XF |
ibm — initiate_master_data_service | Cross-site request forgery (CSRF) vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 2014-09-10 | 6.0 | CVE-2014-4785 XF |
ibm — initiate_master_data_service | IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does not properly restrict use of FRAME elements, which allows remote authenticated users to conduct phishing attacks, and bypass intended access restrictions or obtain sensitive information, via a crafted web site, related to a “frame injection” issue. | 2014-09-10 | 4.9 | CVE-2014-4786 XF |
ibm — initiate_master_data_service | IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | 2014-09-10 | 5.0 | CVE-2014-4788 XF |
ibm — initiate_master_data_service | Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors. | 2014-09-10 | 6.8 | CVE-2014-4789 XF |
ibm — websphere_portal | IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF28, 8.0.0 through 8.0.0.1 CF13, and 8.5.0 before CF02 allows remote authenticated users to cause a denial of service (disk consumption) by uploading large files. | 2014-09-11 | 4.0 | CVE-2014-4792 XF AIXAPAR |
ibm — urbancode_deploy | IBM UrbanCode Deploy 6.1.0.2 before IF1 allows remote authenticated users to read keystore secret keys via a direct request to a UI page. | 2014-09-10 | 4.0 | CVE-2014-6074 |
ilearnwith — animals!_kids_preschool_games | The Animals! Kids Preschool Games (aka air.com.tribalnova.Animals) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5550 MISC |
ilearnwith — alphabet_&_spelling_kids_games | The Alphabet & Spelling Kids Games (aka air.com.tribalnova.ilearnwith.ipad.App1En) application 1.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5551 MISC |
ilearnwith — numbers_&_addition!_math_games | The Numbers & Addition! Math games (aka air.com.tribalnova.ilearnwith.ipad.App2En) application 1.4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5552 MISC |
ilearnwith — kids_preschool_learning_games | The Kids Preschool Learning Games (aka air.com.tribalnova.ilearnwith.ipad.App3En) application 1.3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5553 MISC |
ilearnwith — fun_preschool_creativity_game | The Fun Preschool Creativity Game (aka air.com.tribalnova.ilearnwith.ipad.MotherAppEn) application 1.6.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5554 MISC |
ilearnwith — counting_&_addition_kids_games | The Counting & Addition Kids Games (aka air.com.tribalnova.ilearnwith.ipad.PokoAddEn) application 1.8.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5555 MISC |
ilove — ilove_-_free_dating_&_chat_app | The iLove – Free Dating & Chat App (aka com.jestadigital.android.ilove) application 1.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5649 MISC |
imperva — securesphere_web_application_firewall | Cross-site scripting (XSS) vulnerability in the Violations Table in the management GUI in the MX Management Server in Imperva SecureSphere Web Application Firewall (WAF) 9.0 allows remote attackers to inject arbitrary web script or HTML via the username field. | 2014-09-11 | 4.3 | CVE-2011-4887 XF BID MISC SECUNIA OSVDB |
impi — impi_mobile_security | The IMPI Mobile Security (aka com.impi) application 2.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5642 MISC |
inmobi — inmobi | The Inmobi library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5526 MISC |
instachat — instachat_-instagram_messenger | The Instachat -Instagram Messenger (aka com.instachat.android) application 1.6.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5643 MISC |
intellectualflame — brightest_led_flashlight | The Brightest LED Flashlight (aka com.intellectualflame.ledflashlight.washer) application 1.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5644 MISC |
intsig — camscanner_-phone_pdf_creator | The CamScanner -Phone PDF Creator (aka com.intsig.camscanner) application 3.4.0.20140624 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5645 MISC |
iobit — amc_security-_antivirus,_clean | The AMC Security- Antivirus, Clean (aka com.iobit.mobilecare) application 4.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5646 MISC |
islonline — isl_light_remote_desktop | The ISL Light Remote Desktop (aka com.islonline.isllight.mobile.android) application 2.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5647 MISC |
jaumo — chat,_flirt_&_dating_heart_jaumo | The Chat, Flirt & Dating Heart JAUMO (aka com.jaumo) application 2.7.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5648 MISC |
jazzpodiumdetor — jazzpodium_de_tor | The Jazzpodium De Tor (aka com.appmakr.app273713) application 206160 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5572 MISC |
jiuzhangtech — traffic_jam_free | The Traffic Jam Free (aka com.jiuzhangtech.rushhour) application 1.7.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5650 MISC |
jiuzhangtech — word_search | The Word Search (aka com.virtuesoft.wordsearch) application 2.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5731 MISC |
jogoeusei — eu_sei | The Eu Sei (aka com.guilardi.eusei) application eusei_android_5.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5637 MISC |
josiane_sauveterre — goldfish_care | The Kids GoldFish Care (aka air.josiane.sauveterre.kidsgoldfishcare) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5559 MISC |
kaspersky — kaspersky_internet_security | The Kaspersky Internet Security (aka com.kms.free) application 11.4.4.232 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5654 MISC |
kicksend — kicksend:_share_&_print_photos | The Kicksend: Share & Print Photos (aka com.kicksend.android) application 3.3.2.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5651 MISC |
kicksend — kicksend_photo_prints | The Kicksend Photo Prints (aka com.kicksend.android.print) application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5652 MISC |
kiragames — unblock_me_free | The Unblock Me FREE (aka com.kiragames.unblockmefree) application 1.4.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5653 MISC |
ldap_project — ldap | Unspecified vulnerability in the LDAP (eu_ldap) extension before 2.8.18 for TYPO3 allows remote authenticated users to obtain sensitive information via unknown vectors. | 2014-09-11 | 4.0 | CVE-2014-6232 XF BID SECUNIA |
lgr_mobile_apps — show_do_milhao_2014 | The Show do Milhao 2014 (aka br.com.lgrmobile.sdm) application 1.4.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5563 MISC |
litter_penguin — web_browser_&_explorer | The Web Browser & Explorer (aka com.explore.web.browser) application 2.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5616 MISC |
little_games — africa_memory | The Africa Memory (aka air.com.klon4enabor4e.AfricaMemory) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5546 MISC |
madipass — madipass_martinique | The Madipass Martinique (aka com.goodbarber.madipassmartinique) application 1.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5634 MISC |
magzter — magzter_-magazine_&_book_store | The Magzter -Magazine & Book Store (aka com.dci.magzter) application 3.31 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5602 MISC |
makingmoneywithandroid — ingress_intel_helper | The Ingress Intel Helper (aka com.bb.ingressintel) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5582 MISC |
mdickie — hard_time | The Hard Time (Prison Sim) (aka air.HardTime) application 1.111 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5558 MISC |
mdickie — popscene | The Popscene (Music Industry Sim) (aka air.Popscene) application 1.04 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5560 MISC |
mercadolibre — mercadolibre | The MercadoLibre (aka com.mercadolibre) application 3.8.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5658 MISC |
metago — astro_file_manager_with_cloud | The ASTRO File Manager with Cloud (aka com.metago.astro) application ASTRO-4.4.592 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5659 MISC |
microsoft — lync_server | The Response Group Service in Microsoft Lync Server 2010 and 2013 and the Core Components in Lync Server 2013 do not properly handle exceptions, which allows remote attackers to cause a denial of service (daemon hang) via a crafted call, aka “Lync Denial of Service Vulnerability.” | 2014-09-09 | 5.0 | CVE-2014-4068 CONFIRM |
microsoft — lync_server | Cross-site scripting (XSS) vulnerability in the Web Components Server in Microsoft Lync Server 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka “Lync XSS Information Disclosure Vulnerability.” | 2014-09-09 | 4.3 | CVE-2014-4070 |
microsoft — lync_server | The Server in Microsoft Lync Server 2013 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon hang) via a crafted request, aka “Lync Denial of Service Vulnerability.” | 2014-09-09 | 5.0 | CVE-2014-4071 CONFIRM |
microsoft — .net_framework | Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly use a hash table for request data, which allows remote attackers to cause a denial of service (resource consumption and ASP.NET performance degradation) via crafted requests, aka “.NET Framework Denial of Service Vulnerability.” | 2014-09-09 | 5.0 | CVE-2014-4072 CONFIRM |
microsoft — windows_8 | The Task Scheduler in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via an application that schedules a crafted task, aka “Task Scheduler Vulnerability.” | 2014-09-09 | 6.8 | CVE-2014-4074 |
microsoft — microsoft_tech_companion | The Microsoft Tech Companion (aka com.technet) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5711 MISC |
miniclip — anger_of_stick_3 | The Anger of Stick 3 (aka com.miniclip.angerofstick3) application 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5661 MISC |
miniclip — rail_rush | The Rail Rush (aka com.miniclip.railrush) application 1.9.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5662 MISC |
miniupnp_project — miniupnpd | The getHTTPResponse function in miniwget.c in MiniUPnP 1.9 allows remote attackers to cause a denial of service (crash) via crafted headers that trigger an out-of-bounds read. | 2014-09-11 | 5.0 | CVE-2014-3985 CONFIRM CONFIRM BID MLIST MLIST |
mirror_photo_&_shape_project — mirror_photo_&_shape | The mirror photo shape (aka com.baiwang.styleinstamirror) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5581 MISC |
mobbtech — follow_mania_for_instagram | The Follow Mania for Instagram (aka com.followmania) application 1.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5622 MISC |
mobilityware — freecell_solitaire | The FreeCell Solitaire (aka com.mobilityware.freecell) application 2.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5663 MISC |
mobilityware — spider_solitaire | The Spider Solitaire (aka com.mobilityware.spider) application 3.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5664 MISC |
mymembersfirst — tn_members_1st_fcu-rdc | The TN Members 1st FCU-RDC (aka com.metova.cuae.tmffcu) application 1.0.28 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5660 MISC |
netmaster — cbw700_software | The Netmaster CBW700N cable modem with software 81.447.392110.729.024 has an SNMP community of public, which allows remote attackers to obtain sensitive credential, key, and SSID information via an SNMP request. | 2014-09-05 | 5.0 | CVE-2014-4862 CERT-VN MISC |
ninjakiwi — sas:_zombie_assault_3 | The SAS: Zombie Assault 3 (aka com.ninjakiwi.sas3zombieassault) application 2.56 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5670 MISC |
nodejs — nodejs | Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack. | 2014-09-05 | 5.0 | CVE-2014-5256 CONFIRM |
noodlecake — super_stickman_golf | The Super Stickman Golf (aka com.noodlecake.ssg) application 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5671 MISC |
nowbrowser — now_browser_(material) | The Now Browser (Material) (aka com.browser.nowbasic) 2.8.1 application Material for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5589 MISC |
nq — vault-hide_sms,_pics_&_videos | The Vault-Hide SMS, Pics & Videos (aka com.netqin.ps) application 5.0.14.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5667 MISC |
nq — nq_mobile_security_&_antivirus | The NQ Mobile Security & Antivirus (aka com.nqmobile.antivirus20) application 7.2.16.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5672 MISC |
nq — easy_finder_&_anti-theft | The Easy Finder & Anti-Theft (aka com.nqmobile.easyfinder) application 2.0.10.08 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5673 MISC |
ntop — ntopng | Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header. | 2014-09-08 | 4.3 | CVE-2014-5464 XF BID BUGTRAQ BUGTRAQ EXPLOIT-DB SECUNIA FULLDISC FULLDISC MISC OSVDB |
open_graph_protocol_project — open_graph_protocol | Cross-site scripting (XSS) vulnerability in the Open Graph protocol (jh_opengraphprotocol) extension before 1.0.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-11 | 4.3 | CVE-2014-6234 XF BID SECUNIA |
ovirt — ovirt | Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors. | 2014-09-08 | 6.8 | CVE-2014-0152 |
ovirt — ovirt | The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page. | 2014-09-08 | 4.3 | CVE-2014-0153 |
penguinchefshop_project — penguinchefshop | The penguinchefshop (aka com.freegames.penguinchefshop) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5623 MISC |
perblue — parallel_kingdom_mmo | The Parallel Kingdom MMO (aka com.silvermoon.client) application @7F070019 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5699 MISC |
permadi — mahjong_galaxy_space_lite | The Mahjong Galaxy Space Lite (aka air.com.permadi.mahjongIris) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5547 MISC |
picsart — picsart_-_photo_studio | The PicsArt – Photo Studio (aka com.picsart.studio) application 4.5.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5674 MISC |
pinssible — phonegram_-_instagram_download | The Phonegram – Instagram Download (aka com.pinssible.padgram) application 1.9.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5675 MISC |
playrix — township | The Township (aka com.playrix.township) application 1.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5676 MISC |
playscape — mominis_library | The MoMinis library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5525 CERT-VN MISC |
pocketmags — gambling_insider_magazine | The Gambling Insider Magazine (aka com.triactivemedia.gambling) application @7F0801AA for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5724 MISC |
pointinside — point_inside_shopping_&_travel | The Point Inside Shopping & Travel (aka com.pointinside.android.app) application 3.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5677 MISC |
pop-hub — iq_test | The IQ Test (aka com.pophub.androidiqtest.free) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5678 MISC |
popuapp — popu_2:_get_likes_on_instagram | The PopU 2: Get Likes on Instagram (aka com.popuapp.popu) application 1.7.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5679 MISC |
retale — retale_-_weekly_ads_&_deals | The Retale – Weekly Ads & Deals (aka com.retale.android) application 2.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5682 MISC |
rubycell — piano_teacher | The Piano Teacher (aka com.rubycell.pianisthd) application 20140730 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5683 MISC |
runkeeper — runkeeper_-_gps_track_run_walk | The RunKeeper – GPS Track Run Walk (aka com.fitnesskeeper.runkeeper.pro) application 4.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5619 CERT-VN MISC |
runtastic — runtastic_running_&_fitness | The Runtastic Running & Fitness (aka com.runtastic.android) application 5.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5684 MISC |
runtastic — runtastic_heart_rate | The Runtastic Heart Rate (aka com.runtastic.android.heartrate.lite) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5685 MISC |
runtastic — runtastic_me | The Runtastic Me (aka com.runtastic.android.me.lite) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5686 MISC |
runtastic — runtastic_mountain_bike | The Runtastic Mountain Bike (aka com.runtastic.android.mountainbike.lite) application 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5687 MISC |
runtastic — runtastic_pedometer | The Runtastic Pedometer (aka com.runtastic.android.pedometer.lite) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5688 MISC |
runtastic — runtastic_road_bike | The Runtastic Road Bike (aka com.runtastic.android.roadbike.lite) application 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5689 MISC |
runtastic — runtastic_timer | The Runtastic Timer (aka com.runtastic.android.timer) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5690 MISC |
rvappstudios — best_phone_security | The Best Phone Security (aka com.rvappstudios.phonesecurity) application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5691 MISC |
safeway — safeway | The Safeway (aka com.safeway.client.android.safeway) application 4.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5692 MISC |
sanriodigital — hello_kitty_cafe | The Hello Kitty Cafe (aka com.sd.google.helloKittyCafe) application 1.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5695 MISC |
sap — netweaver | Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors. | 2014-09-05 | 6.5 | CVE-2014-6252 CONFIRM SECUNIA CONFIRM MISC |
scoutmob — scoutmob_local_deals_&_event | The Scoutmob local deals & events (aka com.scoutmob.ile) application 3.0.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5694 MISC |
sega — sonic_4_episode_ii_lite | The Sonic 4 Episode II LITE (aka com.sega.sonic4ep2lite) application 2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5696 MISC |
sega — sonic_cd_lite | The Sonic CD Lite (aka com.soa.sega.soniccdlite) application 1.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5705 MISC |
sensysnetworks — trafficdot | Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not use encryption, which allows remote attackers to interfere with traffic control by replaying transmissions on a wireless network. | 2014-09-05 | 5.4 | CVE-2014-2379 MISC |
seven_bulls — christmas_words | The Christmas Words (aka air.com.sevenBulls.summerWords) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5548 MISC |
sheado — furdiburb | The Furdiburb (aka com.sheado.lite.pet) application 1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5698 MISC |
sixdead — brain_lab_-_brain_age_games_iq | The Brain lab – brain age games IQ (aka com.sixdead.brainlab) application 2.37 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5700 MISC |
skout — skout:_chats._friends._fun. | The Skout: Chats. Friends. Fun. (aka com.skout.android) application 4.3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5701 MISC |
skyboardapps — penguin_run | The Penguin Run (aka com.skyboard.google.penguinRun) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5702 MISC |
slingo — slingo_lottery_challenge | The Slingo Lottery Challenge (aka com.slingo.slingolotterychallenge) application 1.0.34 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5703 MISC |
snapone — snap_secure | The Snap Secure (aka com.exclaim.snapsecure.app) application 9.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5615 MISC |
somcloud — somnote_-_journal/memo | The SomNote – Journal/Memo (aka com.somcloud.somnote) application 2.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5706 MISC |
sos — jobscheduler | Cross-site scripting (XSS) vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote attackers to inject arbitrary web script or HTML via the hash property (location.hash). | 2014-09-11 | 4.3 | CVE-2014-5391 CONFIRM XF BID BUGTRAQ MISC MISC |
sos — jobscheduler | Directory traversal vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote authenticated users with the info permission to read arbitrary files in the webroot via unspecified vectors. | 2014-09-11 | 4.0 | CVE-2014-5393 CONFIRM XF BUGTRAQ MISC MISC |
squid-cache — squid | HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted “Range headers with unidentifiable byte-range values.” | 2014-09-11 | 5.0 | CVE-2014-3609 CONFIRM DEBIAN SECUNIA SECUNIA |
ssfcu — security_service_mybranch_app | The Security Service myBranch App (aka com.tyfone.ssfcu.mbanking) application 7.88.00.145 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5726 MISC |
starluxstudios — puppy_slots | The Puppy Slots (aka air.com.starluxstudios.PuppySlotsFree) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5549 MISC |
sunstormgames — donut_maker | The Donut Maker (aka com.sunstorm.android.donut) application 1.27 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5709 MISC |
swiftkey — swiftkey_keyboard_+_emoji | The SwiftKey Keyboard + Emoji (aka com.touchtype.swiftkey) application 5.0.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5722 MISC |
synology — diskstation_manager | Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. | 2014-09-12 | 4.3 | CVE-2012-1556 XF BID SECUNIA OSVDB BUGTRAQ |
tamalaki — hidden_object_mystery | The Hidden Object Mystery (aka air.com.differencegames.hodetectivemysteryfree) application 1.0.65 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5542 CERT-VN MISC |
tapatalk — tapatalk | The Tapatalk (aka com.quoord.tapatalkpro.activity) application 4.8.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5680 MISC |
tapjoy — tapjoy_library | The Tapjoy library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5527 CERT-VN MISC |
tektite — turbo_river_racing_free | The Turbo River Racing Free (aka com.tektite.androidgames.trrfree) application 1.07 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5712 MISC |
telly — telly-watch_the_good_stuff | The Telly – Watch the good stuff (aka com.telly) application 2.5.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5713 MISC |
thegameboss — street_racing | The Street Racing (aka com.tgb.streetracing.lite5pp) application 4.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5715 MISC |
theonegames — gunship_battle:helicopter_3d | The GUNSHIP BATTLE : Helicopter 3D (aka com.theonegames.gunshipbattle) application 1.1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5716 MISC |
threadflip — threadflip_:_buy,_sell_fashion | The Threadflip : Buy, Sell Fashion (aka com.threadflip.android) application 1.1.11 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5718 MISC |
timuz — bike_racing_2014 | The BIKE RACING 2014 (aka com.timuzsolutions.bikeracing2014) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5719 MISC |
topfreegames — bike_race_free_-_top_free_game | The Bike Race Free – Top Free Game (aka com.topfreegames.bikeracefreeworld) application 4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5720 MISC |
torrentflux — torrentflux | TorrentFlux 2.4 allows remote authenticated users to obtain other users’ cookies via the cid parameter in an editCookies action to profile.php. | 2014-09-05 | 4.0 | CVE-2014-6028 MISC SECTRACK MLIST MLIST |
torrentflux — torrentflux | TorrentFlux 2.4 allows remote authenticated users to delete or modify other users’ cookies via the cid parameter in an editCookies action to profile.php. | 2014-09-05 | 4.9 | CVE-2014-6029 MISC SECTRACK MLIST MLIST |
torrnad0 — sprint_jump | The Sprint jump (aka air.com.ilaz.appilas) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5545 MISC |
touchnote — touchnote_postcards | The Touchnote Postcards (aka com.touchnote.android) application 4.2.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5721 MISC |
traauctions — tra_auctions_for_buyers | The TRA Auctions for Buyers (aka com.manheim.tra) application 2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5656 MISC |
trading_212 — trading_212_forex | The Trading 212 FOREX (aka com.avuscapital.trading212) application 2.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5578 MISC |
trapster — trapster | The Trapster (aka com.trapster.android) application 4.3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5723 MISC |
tribulant — tibulant_slideshow_gallery | Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/. | 2014-09-11 | 6.5 | CVE-2014-5460 CONFIRM XF BUGTRAQ EXPLOIT-DB MISC SECUNIA MISC |
truecaller — truecaller-caller_id_&_block | The Truecaller – Caller ID & Block (aka com.truecaller) application 4.32 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5725 MISC |
utorrent — utorrent_remote | The uTorrent Remote (aka com.utorrent.web) application 1.0.20110929 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5727 MISC |
vevo — vevo-watch_hd_music_videos | The Vevo – Watch HD Music Videos (aka com.vevo) application 2.0.27 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5728 MISC |
viddy — viddy | The Viddy (aka com.viddy.Viddy) application 1.3.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5729 MISC |
videotelecom — russkoe_tb_hd | The russkoe TB HD (aka com.videotelecom.russkoeHD) application 3.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5730 MISC |
wamba — wamba-meet_women_and_men | The Wamba – meet women and men (aka com.wamba.client) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5732 MISC |
water_wish — shop_love | The Shop Love (aka com.waterwish.shoplove) application 1.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5733 MISC |
withbuddies — slots_vacation_-_free_slots_ | The Slots Vacation – FREE Slots (aka com.scopely.slotsvacation) application 1.47.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-09 | 5.4 | CVE-2014-5693 MISC |
withhive — actionpuzzlefamily_for_kakao | The actionpuzzlefamily for Kakao (aka com.com2us.actionpuzzlefamily.kakao.freefull.google.global.android.common) application 1.4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5595 MISC |
withhive — homerun_battle_2 | The Homerun Battle 2 (aka com.com2us.homerunbattle2.normal.freefull.google.global.android.common) application 1.2.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5596 MISC |
withhive — 9_innings:_2014_pro_baseball | The 9 Innings: 2014 Pro Baseball (aka com.com2us.nipb2013.normal.freefull.google.global.android.common) application 4.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5597 MISC |
withhive — puzzle_family | The Puzzle Family (aka com.com2us.puzzlefamily.up.freefull.google.global.android.common) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5598 MISC |
withhive — tiny_farm | The Tiny Farm (aka com.com2us.tinyfarm.normal.freefull.google.global.android.common) application 2.02.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5599 MISC |
xda-developers — xda-developers | The XDA-Developers (aka com.quoord.tapatalkxda.activity) application 3.9.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5681 MISC |
xoops — xoops | Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/ xoopsimagemanager/xoopsimagebrowser.php. |
2014-09-11 | 4.3 | CVE-2012-0984 MISC XF BID EXPLOIT-DB SECUNIA MISC OSVDB OSVDB BUGTRAQ |
zohocorp — manageengine_eventlog_analyzer | ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. | 2014-09-11 | 6.5 | CVE-2014-6043 FULLDISC MISC BID EXPLOIT-DB FULLDISC MISC |
zopim — zopim_library | The Zopim library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-09-08 | 5.4 | CVE-2014-5530 CERT-VN MISC |
Low Vulnerabilities
Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
cisco — unified_communications_manager | Cross-site scripting (XSS) vulnerability in the web framework in Cisco Unified Communications Manager (UCM) 9.1(2.10000.28) allows remote authenticated users to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuq68443. | 2014-09-11 | 3.5 | CVE-2014-3363 |
eucalyptus — eucalyptus | The Storage Controller (SC) component in Eucalyptus 3.4.2 through 4.0.x before 4.0.1, when Dell Equallogic SAN is used, logs the CHAP user credentials, which allows local users to obtain sensitive information by reading the logs. | 2014-09-05 | 1.9 | CVE-2014-5036 SECUNIA SECUNIA |
ibm — rational_license_key_server | The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 allows remote authenticated users to bypass authorization checks and visit unspecified URLs with license-usage data via a DESCRIBE clause in a SPARQL query. | 2014-09-10 | 2.1 | CVE-2014-3079 |
ibm — rational_license_key_server | The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 allows remote authenticated users to hijack sessions via unspecified vectors. | 2014-09-10 | 3.5 | CVE-2014-4756 |
ibm — websphere_portal | Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF13 and 8.5.0 before CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2014-09-11 | 3.5 | CVE-2014-4762 XF AIXAPAR |
ibm — initiate_master_data_service | Cross-site scripting (XSS) vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-10 | 3.5 | CVE-2014-4787 XF |
netgear — prosafe_firmware | The NETGEAR ProSafe Plus Configuration Utility creates configuration backup files containing cleartext passwords, which might allow remote attackers to obtain sensitive information by reading a file. | 2014-09-10 | 3.3 | CVE-2014-4864 |
news_pack_project — news_pack | Cross-site scripting (XSS) vulnerability in the News Pack extension 0.1.0 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-11 | 3.5 | CVE-2014-6237 XF BID |
sixapart — movabletype | Cross-site scripting (XSS) vulnerability in the management page in Six Apart Movable Type before 5.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-10 | 3.5 | CVE-2014-5313 JVNDB CONFIRM |
spiceworks — spiceworks | Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page. | 2014-09-11 | 3.5 | CVE-2014-3740 EXPLOIT-DB SECUNIA FULLDISC MISC MISC MISC OSVDB |
srvx — srvx | Multiple integer overflows in the HelpServ module (mod-helpserv.c) in srvx 1.3.1 allow remote authenticated IRCops or HelpServ bot managers to cause a denial of service (infinite loop) via a large value in the EmptyInterval parameter or certain other interval configurations. | 2014-09-05 | 3.5 | CVE-2014-5508 BID MLIST MLIST |
This product is provided subject to this Notification and this Privacy & Use policy.
DVWA Cross Site Request Forgery
Damn Vulnerable Web Application, which is meant to be a vulnerable web application for security testing, can be leveraged by attackers to compromise your system when in use. This is a good reminder to only use DVWA on an air-gapped network. This exploits demonstrates the ability to gain code execution on the system.
Phishing email: UK hit with three times as many ‘bad’ links as U.S.
British internet users opening a spam email are three times more likely to be facing a malicious URL than users in the US, according to new research by phishing email specialists Proofpoint. German and French internet users were hit by fewer still, with just a fifth of the levels British internet users endure.
British users appear to be being targeted with high levels of financial malware, such as the banking Trojan Dyre.
Oddly, this finding does not correlate to a high level of spam email targeting the country. Germans receive the highest percentage of spam email overall, according to Tech World.
The findings come from an analysis of seven billion URLs monitored every week over a three week period this summer.
Phishing email: smells fishy?
Tech World comments, “This raises the possibility that the higher phishing email levels aimed at the UK are a random fluctuation and a result of when the time period chosen than a fundamental trend.”
Proofpoint responded via email that the high level of targeted financial phishing email suggested that Britain was being targeted with malware simply because it brought lucrative returns.
“The attacks are clearly financially motivated. We’ve historically seen higher volumes of attacks targeted at regions that generate more success for the attackers because that’s where the money is,” said Proofpoint VP of security, Kevin Epstein.
“Relative to other countries in this report, this is a startlingly high number of targeted attacks against the UK. Given the financial motivations of the attacks, this strongly suggests cybercriminals have found UK organizations to be an unusually lucrative target.”
Dyre warning for British users
Infosecurity Magazine points out that among the malicious payloads delivered to British users was a high number of emails containing the Dyre banking Trojan, which was in the headlines again last week, after the malware was used to target users of the popular Customer Relationship Management software Salesforce.
Named Dyre, or Dyreza (and detected by ESET software as Win32/Battdil.A), the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware.
Dyre has been designed to target certain banks in particular â Bank of America, CitiGroup, but also a large number of British banks, in particular NatWest, RBS and Ulsterbank.
It is thought to be an example of âcrime-as-a-serviceâ â malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.
Speaking to Infosecurity, Proofpoint suggested that the malware had, “become increasingly popular in the wake of the Gameover Zeus takedown.”
Â
The post Phishing email: UK hit with three times as many ‘bad’ links as U.S. appeared first on We Live Security.
Splendid CRM Cross Site Scripting
Splendid CRM suffers from a persistent cross site scripting vulnerability.
MyITCRM Cross Site Scripting
MyITCRM suffers from a persistent cross site scripting vulnerability.
PoisonShell PHP Backdoor
PoisonShell is a simple PHP shell that has several options.