CVE-2014-9767CVE-2014-9767

Affected configuration(s):

cpe:/a:hiphop_virtual_machine_for_php_project:hiphop_virtual_machine_for_php:3.12
cpe:/a:php:php:5.4.45
cpe:/a:php:php:5.5.0
cpe:/a:php:php:5.5.1
cpe:/a:php:php:5.5.2
cpe:/a:php:php:5.5.3
cpe:/a:php:php:5.5.4
cpe:/a:php:php:5.5.5
cpe:/a:php:php:5.5.6
cpe:/a:php:php:5.5.7
cpe:/a:php:php:5.5.8
cpe:/a:php:php:5.5.9
cpe:/a:php:php:5.5.10
cpe:/a:php:php:5.5.11
cpe:/a:php:php:5.5.12
cpe:/a:php:php:5.5.13
cpe:/a:php:php:5.5.14
cpe:/a:php:php:5.5.18
cpe:/a:php:php:5.5.19
cpe:/a:php:php:5.5.20
cpe:/a:php:php:5.5.21
cpe:/a:php:php:5.5.22
cpe:/a:php:php:5.5.23
cpe:/a:php:php:5.5.24
cpe:/a:php:php:5.5.25
cpe:/a:php:php:5.5.26
cpe:/a:php:php:5.5.27
cpe:/a:php:php:5.5.28
cpe:/a:php:php:5.6.0
cpe:/a:php:php:5.6.1
cpe:/a:php:php:5.6.2
cpe:/a:php:php:5.6.3
cpe:/a:php:php:5.6.4
cpe:/a:php:php:5.6.5
cpe:/a:php:php:5.6.6
cpe:/a:php:php:5.6.7
cpe:/a:php:php:5.6.8
cpe:/a:php:php:5.6.9
cpe:/a:php:php:5.6.10
cpe:/a:php:php:5.6.11
cpe:/a:php:php:5.6.12

Date published: 2016-05-21T21:59:00.163-04:00

Date last modified: 2017-09-06T21:29:00.227-04:00

CVSS Score: 4.3

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00052.html

Summary: Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.

CVE-2014-1750CVE-2014-1750

Affected configuration(s):

cpe:/a:nokia_maps_%26_places_project:nokia_maps_%26_places:1.6.6::~~~wordpress~~

Date published: 2015-07-01T10:59:00.067-04:00

Date last modified: 2016-05-27T12:08:10.770-04:00

CVSS Score: 5.8

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://seclists.org/oss-sec/2014/q1/173

Summary: Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as a cross-site scripting (XSS) vulnerability, but this may be inaccurate.

CVE-2014-8618CVE-2014-8618

Affected configuration(s):

cpe:/h:fortinet:fortiadc-1500d:-
cpe:/h:fortinet:fortiadc-2000d:-
cpe:/h:fortinet:fortiadc-200d:-
cpe:/h:fortinet:fortiadc-4000d:-
cpe:/h:fortinet:fortiadc-700d:-
cpe:/o:fortinet:fortiadc_firmware:4.1.0

Date published: 2015-05-12T15:59:01.377-04:00

Date last modified: 2017-01-02T21:59:20.407-05:00

CVSS Score: 4.3

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://www.fortiguard.com/advisory/FG-IR-15-005/

Summary: Cross-site scripting (XSS) vulnerability in the theme login page in Fortinet FortiADC D models before 4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-8391CVE-2014-8391

Affected configuration(s):

cpe:/a:sendio:sendio:7.2.3

Date published: 2015-06-02T10:59:01.833-04:00

Date last modified: 2016-05-27T11:48:14.907-04:00

CVSS Score: 4.0

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://packetstormsecurity.com/files/132022/Sendio-ESP-Information-Disclosure.html

Summary: The Web interface in Sendio before 7.2.4 does not properly handle sessions, which allows remote authenticated users to obtain sensitive information from other users’ sessions via a large number of requests.

CVE-2014-8619CVE-2014-8619

Affected configuration(s):

cpe:/a:fortinet:fortiweb:5.1.2
cpe:/a:fortinet:fortiweb:5.1.3
cpe:/a:fortinet:fortiweb:5.1.4
cpe:/a:fortinet:fortiweb:5.2.0
cpe:/a:fortinet:fortiweb:5.2.1
cpe:/a:fortinet:fortiweb:5.2.2
cpe:/a:fortinet:fortiweb:5.2.3
cpe:/a:fortinet:fortiweb:5.2.4
cpe:/a:fortinet:fortiweb:5.3.0
cpe:/a:fortinet:fortiweb:5.3.1
cpe:/a:fortinet:fortiweb:5.3.2
cpe:/a:fortinet:fortiweb:5.3.3
cpe:/a:fortinet:fortiweb:5.3.4

Date published: 2015-05-12T15:59:02.643-04:00

Date last modified: 2017-01-02T21:59:20.457-05:00

CVSS Score: 4.3

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://www.fortiguard.com/advisory/FG-IR-15-005/

Summary: Cross-site scripting (XSS) vulnerability in the autolearn configuration page in Fortinet FortiWeb 5.1.2 through 5.3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-1939CVE-2014-1939

Affected configuration(s):

cpe:/a:lenovo:shareit:3.5.88_ww::~~~android~~
cpe:/o:google:android:4.0
cpe:/o:google:android:4.0.1
cpe:/o:google:android:4.0.2
cpe:/o:google:android:4.0.3
cpe:/o:google:android:4.0.4
cpe:/o:google:android:4.1
cpe:/o:google:android:4.1.2
cpe:/o:google:android:4.2
cpe:/o:google:android:4.2.1
cpe:/o:google:android:4.2.2
cpe:/o:google:android:4.3
cpe:/o:google:android:4.3.1

Date published: 2014-03-02T23:50:46.453-05:00

Date last modified: 2016-05-26T08:22:39.743-04:00

CVSS Score: 7.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://blog.chromium.org/2013/11/introducing-chromium-powered-android.html

Summary: java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.

CVE-2014-1683CVE-2014-1683

Affected configuration(s):

cpe:/a:skybluecanvas:skybluecanvas:1.1_r248-03

Date published: 2014-01-29T13:55:27.027-05:00

Date last modified: 2017-08-28T21:34:27.310-04:00

CVSS Score: 6.8

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html

Summary: The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.

CVE-2014-1610CVE-2014-1610

Affected configuration(s):

cpe:/a:mediawiki:mediawiki:1.19.0
cpe:/a:mediawiki:mediawiki:1.19.1
cpe:/a:mediawiki:mediawiki:1.19.2
cpe:/a:mediawiki:mediawiki:1.19.3
cpe:/a:mediawiki:mediawiki:1.19.4
cpe:/a:mediawiki:mediawiki:1.19.5
cpe:/a:mediawiki:mediawiki:1.19.6
cpe:/a:mediawiki:mediawiki:1.19.7
cpe:/a:mediawiki:mediawiki:1.19.8
cpe:/a:mediawiki:mediawiki:1.19.9
cpe:/a:mediawiki:mediawiki:1.19.10
cpe:/a:mediawiki:mediawiki:1.21.1
cpe:/a:mediawiki:mediawiki:1.21.2
cpe:/a:mediawiki:mediawiki:1.21.3
cpe:/a:mediawiki:mediawiki:1.21.4
cpe:/a:mediawiki:mediawiki:1.22.0
cpe:/a:mediawiki:mediawiki:1.22.1

Date published: 2014-01-30T18:55:02.413-05:00

Date last modified: 2016-05-25T11:01:37.037-04:00

CVSS Score: 6.0

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127942.html

Summary: MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.