Vulnerability Summary for the Week of November 24, 2014Please Note:

• The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low.

• The CVE indentity number is the publicly known ID given to that particular vulnerability. Therefore you can

search the status of that particular vulnerability using that ID.

• The CVSS (Common Vulnerability Scoring System) score is a standard scoring system used to determine the

severity of the vulnerability.

High Severity Vulnerabilities

The Primary Vendor --- Product

Description Date Published

CVSS Score

The CVE Identity

adobe -- air Adobe Flash Player before 13.0.0.258 and 14.x

and 15.x before 15.0.0.239 on Windows and OS X

and before 11.2.202.424 on Linux, Adobe AIR

before 15.0.0.293, Adobe AIR SDK before

15.0.0.302, and Adobe AIR SDK & Compiler

before 15.0.0.302 allow attackers to execute

arbitrary code or cause a denial of service

(invalid pointer dereference) via unspecified

vectors.

2014-11-25 7.5 CVE-2014-8439

apptha --

contus_video_gallery

Multiple SQL injection vulnerabilities in the

Apptha WordPress Video Gallery (contus-video-

gallery) plugin 2.5, possibly as distributed before

2014-07-23, for WordPress allow (1) remote

attackers to execute arbitrary SQL commands via

the vid parameter in a myextract action to wp-

admin/admin-ajax.php or (2) remote

authenticated users to execute arbitrary SQL

commands via the playlistId parameter in the

newplaylist page or (3) videoId parameter in a

newvideo page to wp-admin/admin.php.

2014-11-26 7.5 CVE-2014-9097BID (link is external)MISC (link is external)

arris -- vap2500_firmware Unspecified vulnerability in the management

portal in ARRIS VAP2500 before FW08.41 allows

remote attackers to execute arbitrary commands

via unknown vectors.

2014-11-28 10.0 CVE-2014-8423MISC (link is external)

arris -- vap2500_firmware ARRIS VAP2500 before FW08.41 does not

properly validate passwords, which allows

remote attackers to bypass authentication.

2014-11-28 7.8 CVE-2014-8424MISC (link is external)

arris -- vap2500_firmware The management portal in ARRIS VAP2500

before FW08.41 allows remote attackers to

obtain credentials by reading the configuration

files.

2014-11-28 7.8 CVE-2014-8425MISC (link is external)

arubanetworks --

clearpass_policy_manage

r

SQL injection vulnerability in Aruba Networks

ClearPass Policy Manager (CPPM) 6.2.x, 6.3.x

before 6.3.6, and 6.4.x before 6.4.2 allows remote

attackers to execute arbitrary SQL commands via

unspecified vectors.

2014-11-25 7.5 CVE-2014-8367XF (link is external)SECUNIA (link is external)

arubanetworks -- airwave The web interface in Aruba Networks AirWave

before 7.7.14 and 8.x before 8.0.5 allows remote

authenticated users to gain privileges and

execute arbitrary commands via unspecified

vectors.

2014-11-25 9.0 CVE-2014-8368XF (link is external)SECUNIA (link is external)

cisco -- openh264 Buffer overflow in decode.cpp in Cisco

OpenH264 1.2.0 and earlier allows remote

attackers to execute arbitrary code via an

encoded media file.

2014-11-25 7.5 CVE-2014-8001

cisco -- openh264 Use-after-free vulnerability in decode_slice.cpp

in Cisco OpenH264 1.2.0 and earlier allows

remote attackers to execute arbitrary code via an

encoded media file.

2014-11-25 7.5 CVE-2014-8002

cononical -- ubuntu mountall 1.54, as used in Ubuntu 14.10, does not

properly handle the umask when using the

mount utility, which allows local users to bypass

intended access restrictions via unspecified

vectors.

2014-11-25 7.2 CVE-2014-1421

cybozu -- dezie Buffer overflow in Cybozu Office 9 and 10 before

10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8

before 8.1.1 allows remote authenticated users

2014-11-23 9.0 CVE-2014-5314JVNDB (link is external)JVN (link is external)

to execute arbitrary code via e-mail messages.

dell -- sonicwall_analyzer The ViewPoint web application in Dell

SonicWALL Global Management System (GMS)

before 7.2 SP2, SonicWALL Analyzer before 7.2

SP2, and SonicWALL UMA before 7.2 SP2 allows

remote authenticated users to execute arbitrary

code via unspecified vectors.

2014-11-25 9.0 CVE-2014-8420MISC (link is external)

digium -- asterisk The res_pjsip_acl module in Asterisk Open

Source 12.x before 12.7.1 and 13.x before 13.0.1

does properly create and load ACLs defined in

pjsip.conf at startup, which allows remote

attackers to bypass intended PJSIP ACL rules.

2014-11-24 7.5 CVE-2014-8413

digium -- asterisk The DB dialplan function in Asterisk Open Source

1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x

before 12.7.1, and 13.x before 13.0.1 and

Certified Asterisk 1.8 before 1.8.28-cert8 and

11.6 before 11.6-cert8 allows remote

authenticated users to gain privileges via a call

from an external protocol, as demonstrated by

the AMI protocol.

2014-11-24 9.0 CVE-2014-8418

documentfoundation --

libreoffice

LibreOffice before 4.3.5 allows remote attackers

to cause a denial of service (invalid write

operation and crash) and possibly execute

arbitrary code via a crafted RTF file.

2014-11-26 7.5 CVE-2014-9093CONFIRMMLIST (link is external)MLIST (link is external)

enalean -- tuleap Enalean Tuleap before 7.5.99.6 allows remote

attackers to execute arbitrary commands via the

User-Agent header, which is provided to the

passthru PHP function.

2014-11-28 9.3 CVE-2014-7178MISC (link is external)FULLDISC

flac -- libflac Stack-based buffer overflow in

stream_decoder.c in libFLAC before 1.3.1 allows

remote attackers to execute arbitrary code via a

crafted .flac file.

2014-11-26 7.5 CVE-2014-8962MISCCONFIRMBUGTRAQ (link is external)MISC (link is external)

flac -- libflac Heap-based buffer overflow in stream_decoder.c

in libFLAC before 1.3.1 allows remote attackers

to execute arbitrary code via a crafted .flac file.

2014-11-26 7.5 CVE-2014-9028MISCCONFIRMBUGTRAQ (link is external)

MISC (link is external)

gogits -- gogs SQL injection vulnerability in the GetIssues

function in models/issue.go in Gogs (aka Go Git

Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025

Beta allows remote attackers to execute arbitrary

SQL commands via the label parameter to

user/repos/issues.

2014-11-21 7.5 CVE-2014-8681CONFIRM (linkis external)XF (link is external)EXPLOIT-DB (link is external)FULLDISCMISC (link is external)CONFIRM (linkis external)

gogits -- gogs Multiple SQL injection vulnerabilities in Gogs

(aka Go Git Service) 0.3.1-9 through 0.5.x before

0.5.6.1105 Beta allow remote attackers to

execute arbitrary SQL commands via the q

parameter to (1) api/v1/repos/search, which is

not properly handled in models/repo.go, or (2)

api/v1/users/search, which is not properly

handled in models/user.go.

2014-11-21 7.5 CVE-2014-8682CONFIRM (linkis external)XF (link is external)BID (link is external)BUGTRAQ (link is external)EXPLOIT-DB (link is external)FULLDISCMISC (link is external)CONFIRM (linkis external)

justsystems -- ichitaro Unspecified vulnerability in JustSystems Ichitaro

2008 through 2011; Ichitaro Government 6, 7,

2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2;

Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro

2013 Gen; and Ichitaro 2014 Tetsu allows remote

attackers to execute arbitrary code via a crafted

file.

2014-11-25 10.0 CVE-2014-7247JVNDB (link is external)JVN (link is external)

manageengine -- oputils The ConfigSaveServlet servlet in ManageEngine

OpUtils before build 71024 allows remote

attackers to "disclose" files via a crafted

filename, related to "saveFile."

2014-11-25 7.8 CVE-2014-8678MISC (link is external)

mantisbt -- mantisbt Multiple SQL injection vulnerabilities in

view_all_bug_page.php in MantisBT before

1.2.18 allow remote attackers to execute

arbitrary SQL commands via the (1) sort or (2) dir

2014-11-28 7.5 CVE-2014-9089MLIST (link is external)MLIST (link is external)

parameter to view_all_set.php.

moodle -- moodle The generate_password function in Moodle

through 2.4.11, 2.5.x before 2.5.9, 2.6.x before

2.6.6, and 2.7.x before 2.7.3 does not provide a

sufficient number of possible temporary

passwords, which allows remote attackers to

obtain access via a brute-force attack.

2014-11-24 7.5 CVE-2014-7845MLIST (link is external)

php -- php Stack-based buffer overflow in the

date_from_ISO8601 function in

ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before

5.2.7 allows remote attackers to cause a denial of

service (application crash) or possibly execute

arbitrary code by including a timezone field in a

date, leading to improper XML-RPC encoding.

2014-11-22 7.5 CVE-2014-8626CONFIRM (linkis external)CONFIRM (linkis external)CONFIRM (linkis external)MLIST (link is external)CONFIRM (linkis external)

pligg -- pligg_cms Multiple SQL injection vulnerabilities in

recover.php in Pligg CMS 2.0.1 and earlier allow

remote attackers to execute arbitrary SQL

commands via the (1) id or (2) n parameter.

2014-11-26 7.5 CVE-2014-9096CONFIRM (linkis external)CONFIRM (linkis external)BID (link is external)FULLDISCMISC (link is external)

raritan -- power_iq Multiple SQL injection vulnerabilities in Raritan

Power IQ 4.1.0 and 4.2.1 allow remote attackers

to execute arbitrary SQL commands via the (1)

sort or (2) dir parameter to license/records.

2014-11-26 7.5 CVE-2014-9095SECUNIA (link is external)FULLDISCMISC (link is external)

siemens -- simatic_pcs7 The WinCC server in Siemens SIMATIC WinCC 7.0

through SP3, 7.2 before Update 9, and 7.3 before

Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0

through SP2, and 8.1; and TIA Portal 13 before

Update 6 allows remote attackers to execute

arbitrary code via crafted packets.

2014-11-26 10.0 CVE-2014-8551

wibu --

codemeter_runtime

Wibu-Systems CodeMeter Runtime before 5.20

uses weak permissions (read and write access for

all users) for codemeter.exe, which allows local

users to gain privileges via a Trojan horse file.

2014-11-26 7.2 CVE-2014-8419BUGTRAQ (link is external)MISC (link is external)

xen -- xen The do_mmu_update function in arch/x86/mm.c

in Xen 3.2.x through 4.4.x does not properly

manage page references, which allows remote

domains to cause a denial of service by

leveraging control over an HVM guest and a

crafted MMU_MACHPHYS_UPDATE.

2014-11-24 7.1 CVE-2014-9030XF (link is external)BID (link is external)

Medium Severity Vulnerabilities

The Primary Vendor --- Product

Description Date Published CVSSScore

The CVE Identity

cisco --

adaptive_security_a

ppliance_software

The SSL VPN implementation in Cisco Adaptive

Security Appliance (ASA) Software 9.3(.2) and

earlier does not properly allocate memory blocks

during HTTP packet handling, which allows remote

attackers to cause a denial of service (memory

consumption) via crafted packets, aka Bug ID

CSCuq68888.

2014-11-27 5.0 CVE-2014-3407

cisco -- ios_xr Cisco IOS XR allows remote attackers to cause a

denial of service (LISP process reload) by

establishing many LISP TCP sessions, aka Bug ID

CSCuq90378.

2014-11-25 5.0 CVE-2014-8004

cisco -- ios_xr Race condition in the lighttpd module in Cisco IOS

XR 5.1 and earlier on Network Convergence System

6000 devices allows remote attackers to cause a

denial of service (process reload) by establishing

many TCP sessions, aka Bug ID CSCuq45239.

2014-11-25 5.0 CVE-2014-8005

digitalzoomstudio --

video_gallery

Multiple cross-site scripting (XSS) vulnerabilities in

deploy/designer/preview.php in the Digital Zoom

Studio (DZS) Video Gallery plugin for WordPress

allow remote attackers to inject arbitrary web script

or HTML via the (1) swfloc or (2) designrand

parameter.

2014-11-26 4.3 CVE-2014-9094MISC (link is external)FULLDISC

digium -- asterisk The res_pjsip_pubsub module in Asterisk Open

Source 12.x before 12.5.1 allows remote

authenticated users to cause a denial of service

(crash) via crafted headers in a SIP SUBSCRIBE

request for an event package.

2014-11-26 4.0 CVE-2014-6609

digium -- asterisk Asterisk Open Source 11.x before 11.12.1 and 12.x

before 12.5.1 and Certified Asterisk 11.6 before

11.6-cert6, when using the res_fax_spandsp

module, allows remote authenticated users to

2014-11-26 4.0 CVE-2014-6610

cause a denial of service (crash) via an out of call

message, which is not properly handled in the

ReceiveFax dialplan application.

digium -- asterisk The (1) VoIP channel drivers, (2) DUNDi, and (3)

Asterisk Manager Interface (AMI) in Asterisk Open

Source 1.8.x before 1.8.32.1, 11.x before 11.14.1,

12.x before 12.7.1, and 13.x before 13.0.1 and

Certified Asterisk 1.8.28 before 1.8.28-cert3 and

11.6 before 11.6-cert8 allows remote attackers to

bypass the ACL restrictions via a packet with a

source IP that does not share the address family as

the first ACL entry.

2014-11-24 5.0 CVE-2014-8412

digium -- asterisk ConfBridge in Asterisk 11.x before 11.14.1 and

Certified Asterisk 11.6 before 11.6-cert8 does not

properly handle state changes, which allows

remote attackers to cause a denial of service

(channel hang and memory consumption) by

causing transitions to be delayed, which triggers a

state change from hung up to waiting for media.

2014-11-24 5.0 CVE-2014-8414CONFIRM

digium -- asterisk Race condition in the chan_pjsip channel driver in

Asterisk Open Source 12.x before 12.7.1 and 13.x

before 13.0.1 allows remote attackers to cause a

denial of service (assertion failure and crash) via a

cancel request for a SIP session with a queued

action to (1) answer a session or (2) send ringing.

2014-11-24 5.0 CVE-2014-8415

digium -- asterisk Use-after-free vulnerability in the PJSIP channel

driver in Asterisk Open Source 12.x before 12.7.1

and 13.x before 13.0.1, when using the

res_pjsip_refer module, allows remote attackers to

cause a denial of service (crash) via an in-dialog

INVITE with Replaces message, which triggers the

channel to be hung up.

2014-11-24 5.0 CVE-2014-8416

digium -- asterisk ConfBridge in Asterisk 11.x before 11.14.1, 12.x

before 12.7.1, and 13.x before 13.0.1 and Certified

Asterisk 11.6 before 11.6-cert8 allows remote

authenticated users to (1) gain privileges via vectors

related to an external protocol to the CONFBRIDGE

dialplan function or (2) execute arbitrary system

2014-11-24 6.5 CVE-2014-8417

commands via a crafted ConfbridgeStartRecord AMI

action.

directwebremoting

--

direct_web_remoti

ng

The (1) DOMConverter, (2) JDOMConverter, (3)

DOM4JConverter, and (4) XOMConverter functions

in Direct Web Remoting (DWR) through 2.0.10 and

3.x through 3.0.RC2 allow remote attackers to read

arbitrary files via DOM data containing an XML

external entity declaration in conjunction with an

entity reference, related to an XML External Entity

(XXE) issue.

2014-11-23 5.0 CVE-2014-5325JVNDB (link is external)JVN (link is external)

directwebremoting

--

direct_web_remoti

ng

Cross-site scripting (XSS) vulnerability in Direct Web

Remoting (DWR) through 2.0.10 and 3.x through

3.0.RC2 allows remote attackers to inject arbitrary

web script or HTML via unspecified vectors.

2014-11-23 4.3 CVE-2014-5326JVNDB (link is external)JVN (link is external)

drupal -- drupal Drupal 6.x before 6.34 and 7.x before 7.34 allows

remote attackers to hijack sessions via a crafted

request, as demonstrated by a crafted request to a

server that supports both HTTP and HTTPS sessions.

2014-11-24 6.8 CVE-2014-9015MLIST (link is external)MLIST (link is external)DEBIANSECUNIA (link is external)

drupal -- drupal The password hashing API in Drupal 7.x before 7.34

and the Secure Password Hashes (aka phpass)

module 6.x-2.x before 6.x-2.1 for Drupal allows

remote attackers to cause a denial of service (CPU

and memory consumption) via a crafted request.

2014-11-24 5.0 CVE-2014-9016MLIST (link is external)MLIST (link is external)MLIST (link is external)DEBIANSECUNIA (link is external)

dukapress_project

-- dukapress

Directory traversal vulnerability in the

dp_img_resize function in php/dp-functions.php in

the DukaPress plugin before 2.5.4 for WordPress

allows remote attackers to read arbitrary files via a ..

(dot dot) in the src parameter to lib/dp_image.php.

2014-11-28 5.0 CVE-2014-8799XF (link is external)EXPLOIT-DB (link is external)MISC (link is external)

gnu -- glibc The wordexp function in GNU C Library (aka glibc)

2.21 does not enforce the WRDE_NOCMD flag,

which allows context-dependent attackers to

execute arbitrary commands, as demonstrated by

input containing "$((`...`))".

2014-11-24 4.3 CVE-2014-7817CONFIRMCONFIRMXF (link is external)BID (link is

external)MLIST

gogits -- gogs Cross-site scripting (XSS) vulnerability in

models/issue.go in Gogs (aka Go Git Service) 0.3.1-9

through 0.5.x before 0.5.8 allows remote attackers

to inject arbitrary web script or HTML via the text

parameter to api/v1/markdown.

2014-11-21 4.3 CVE-2014-8683XF (link is external)BUGTRAQ (link is external)FULLDISCMISC (link is external)CONFIRM (linkis external)

huawei --

e3236_firmware

Multiple cross-site request forgery (CSRF)

vulnerabilities in Huawei HiLink E3276 and E3236

TCPU before V200R002B470D13SP00C00 and

WebUI before V100R007B100D03SP01C03, E5180s-

22 before 21.270.21.00.00, and E586Bs-2 before

21.322.10.00.889 allow remote attackers to hijack

the authentication of users for requests that (1)

modify configurations, (2) send SMS messages, or

have other unspecified impact via unknown

vectors.

2014-11-21 6.8 CVE-2014-5395BID (link is external)

ibm --

sterling_selling_and

_fulfillment_founda

tion

Sterling Order Management in IBM Sterling Selling

and Fulfillment Suite 9.3.0 before FP8 allows

remote authenticated users to cause a denial of

service (CPU consumption) via a '\0' character.

2014-11-22 4.0 CVE-2014-4807XF (link is external)

ibm --

qradar_risk_manag

er

Cross-site request forgery (CSRF) vulnerability in

IBM Security QRadar SIEM and QRadar Risk Manager

7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1,

and QRadar Vulnerability Manager 7.2 before 7.2.4

Patch 1, allows remote attackers to hijack the

authentication of arbitrary users for requests that

insert XSS sequences.

2014-11-27 6.8 CVE-2014-4829XF (link is external)

ibm --

qradar_risk_manag

er

IBM Security QRadar SIEM and QRadar Risk Manager

7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1,

and QRadar Vulnerability Manager 7.2 before 7.2.4

Patch 1, allow remote attackers to hijack sessions

via unspecified vectors.

2014-11-27 5.8 CVE-2014-4831XF (link is external)

ibm --

qradar_risk_manag

er

IBM Security QRadar SIEM and QRadar Risk Manager

7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1,

and QRadar Vulnerability Manager 7.2 before 7.2.4

2014-11-27 4.3 CVE-2014-4832XF (link is external)

Patch 1, allow remote attackers to obtain sensitive

cookie information by sniffing the network during

an HTTP session.

ibm --

qradar_risk_manag

er

IBM Security QRadar SIEM and QRadar Risk Manager

7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1,

and QRadar Vulnerability Manager 7.2 before 7.2.4

Patch 1, place credentials in URLs, which allows

remote attackers to obtain sensitive information by

reading (1) web-server access logs, (2) web-server

Referer logs, or (3) the browser history.

2014-11-27 5.0 CVE-2014-6075XF (link is external)

ibm --

security_network_p

rotection_xgs_5000

IBM Security Network Protection 5.1 before 5.1.0.0

FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0

FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and

5.3 before 5.3.0.0 FP1 on XGS devices allows remote

authenticated users to execute arbitrary commands

via unspecified vectors.

2014-11-22 4.0 CVE-2014-6183CONFIRM (linkis external)

ibm --

web_experience_fa

ctory

Cross-site scripting (XSS) vulnerability in IBM Web

Experience Factory (WEF) 6.1.5 through 8.5.0.1, as

used in WebSphere Dashboard Framework (WDF)

and Lotus Widget Factory (LWF), allows remote

attackers to inject arbitrary web script or HTML by

leveraging a Dojo builder error in an unspecified

WebSphere Portal configuration, leading to

improper construction of a response page by an

application.

2014-11-25 4.3 CVE-2014-6196XF (link is external)AIXAPAR (link is external)AIXAPAR (link is external)AIXAPAR (link is external)AIXAPAR (link is external)AIXAPAR (link is external)

iwip_project -- iwip resolv.c in the DNS resolver in uIP, and dns.c in the

DNS resolver in lwIP 1.4.1 and earlier, does not use

random values for ID fields and source ports of DNS

query packets, which makes it easier for man-in-

the-middle attackers to conduct cache-poisoning

attacks via spoofed reply packets.

2014-11-27 5.0 CVE-2014-4883CERT-VN

jexperts --

channel_platform

JExperts Channel Platform 5.0.33_CCB allows

remote authenticated users to bypass access

restrictions via crafted action and key parameters.

2014-11-25 6.5 CVE-2014-8558FULLDISCMISC (link is external)

jqueryui -- jquery_ui Cross-site scripting (XSS) vulnerability in

jquery.ui.dialog.js in the Dialog widget in jQuery UI

before 1.10.0 allows remote attackers to inject

2014-11-24 4.3 CVE-2010-5312XF (link is external)MLIST

arbitrary web script or HTML via the title option. MLIST

jqueryui -- jquery_ui Cross-site scripting (XSS) vulnerability in the default

content option in jquery.ui.tooltip.js in the Tooltip

widget in jQuery UI before 1.10.0 allows remote

attackers to inject arbitrary web script or HTML via

the title attribute, which is not properly handled in

the autocomplete combo box demo.

2014-11-24 4.3 CVE-2012-6662XF (link is external)MLISTMLIST

kunena -- kunena Multiple SQL injection vulnerabilities in the Kunena

component before 3.0.6 for Joomla! allow remote

authenticated users to execute arbitrary SQL

commands via the index value in an array

parameter, as demonstrated by the topics[]

parameter in an unfavorite action to index.php.

2014-11-26 6.5 CVE-2014-9102BID (link is external)MISC (link is external)

kunena -- kunena Multiple cross-site scripting (XSS) vulnerabilities in

the Kunena component before 3.0.6 for Joomla!

allow remote attackers to inject arbitrary web script

or HTML via the (1) index value of an array

parameter or the filename parameter in the

Content-Disposition header to the (2) file or (3)

profile image upload functionality.

2014-11-26 4.3 CVE-2014-9103BID (link is external)MISC (link is external)

mantisbt -- mantisbt MantisBT before 1.2.18 allows remote

authenticated users to bypass the

$g_download_attachments_threshold and

$g_view_attachments_threshold restrictions and

read attachments for private projects by leveraging

access to a project that does not restrict access to

attachments and a request to the download URL.

2014-11-24 4.0 CVE-2014-8988XF (link is external)BID (link is external)MLIST (link is external)CONFIRMMLIST

matrikonopc --

dnp3_opc_server

MatrikonOPC OPC Server for DNP3 1.2.3 and earlier

allows remote attackers to cause a denial of service

(unhandled exception and DNP3 process crash) via

a crafted message.

2014-11-27 5.0 CVE-2014-5426MISC

moodle -- moodle lib/classes/grades_external.php in Moodle 2.7.x

before 2.7.3 does not consider the

moodle/grade:viewhidden capability before

displaying hidden grades, which allows remote

authenticated users to obtain sensitive information

by leveraging the student role to access the

get_grades web service.

2014-11-24 4.0 CVE-2014-7831MLIST (link is external)CONFIRM

moodle -- moodle mod/lti/launch.php in the LTI module in Moodle

through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6,

and 2.7.x before 2.7.3 performs access control at the

course level rather than at the activity level, which

allows remote authenticated users to bypass the

mod/lti:view capability requirement by viewing an

activity instance.

2014-11-24 4.0 CVE-2014-7832MLIST (link is external)CONFIRM

moodle -- moodle mod/data/edit.php in Moodle through 2.4.11, 2.5.x

before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before

2.7.3 sets a certain group ID to zero upon a

database-entry change, which allows remote

authenticated users to obtain sensitive information

by accessing the database after an edit by a

teacher.

2014-11-24 4.0 CVE-2014-7833MLIST (link is external)CONFIRM

moodle -- moodle mod/forum/externallib.php in Moodle 2.6.x before

2.6.6 and 2.7.x before 2.7.3 does not verify group

permissions, which allows remote authenticated

users to access a forum via the

forum_get_discussions web service.

2014-11-24 4.0 CVE-2014-7834MLIST (link is external)CONFIRM

moodle -- moodle Multiple cross-site request forgery (CSRF)

vulnerabilities in the LTI module in Moodle through

2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and

2.7.x before 2.7.3 allow remote attackers to hijack

the authentication of arbitrary users for a (1)

mod/lti/request_tool.php or (2)

mod/lti/instructor_edit_tool_type.php request.

2014-11-24 6.8 CVE-2014-7836MLIST (link is external)

moodle -- moodle mod/wiki/admin.php in Moodle through 2.4.11,

2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x

before 2.7.3 allows remote authenticated users to

remove wiki pages by leveraging delete access

within a different subwiki.

2014-11-24 5.5 CVE-2014-7837MLIST (link is external)

moodle -- moodle Multiple cross-site request forgery (CSRF)

vulnerabilities in the Forum module in Moodle

through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6,

and 2.7.x before 2.7.3 allow remote attackers to

hijack the authentication of arbitrary users for

requests that set a tracking preference within (1)

mod/forum/deprecatedlib.php, (2)

2014-11-24 6.8 CVE-2014-7838MLIST (link is external)

mod/forum/forum.js, (3) mod/forum/index.php, or

(4) mod/forum/lib.php.

moodle -- moodle tag/tag_autocomplete.php in Moodle through

2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and

2.7.x before 2.7.3 does not consider the

moodle/tag:edit capability before adding a tag,

which allows remote authenticated users to bypass

intended access restrictions via an AJAX request.

2014-11-24 4.0 CVE-2014-7846MLIST (link is external)

moodle -- moodle iplookup/index.php in Moodle through 2.4.11, 2.5.x

before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before

2.7.3 allows remote attackers to cause a denial of

service (resource consumption) by triggering the

calculation of an estimated latitude and longitude

for an IP address.

2014-11-24 5.0 CVE-2014-7847MLIST (link is external)

moodle -- moodle lib/phpunit/bootstrap.php in Moodle 2.6.x before

2.6.6 and 2.7.x before 2.7.3 allows remote attackers

to obtain sensitive information via a direct request,

which reveals the full path in an error message.

2014-11-24 5.0 CVE-2014-7848MLIST (link is external)

moodle -- moodle lib/setup.php in Moodle through 2.4.11, 2.5.x

before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before

2.7.3 does not provide charset information in HTTP

headers, which might allow remote attackers to

conduct cross-site scripting (XSS) attacks via UTF-7

characters during interaction with AJAX scripts.

2014-11-24 4.3 CVE-2014-9059MLIST (link is external)

moodle -- moodle The LTI module in Moodle through 2.4.11, 2.5.x

before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before

2.7.3 does not properly restrict the parameters used

in a return URL, which allows remote attackers to

trigger the generation of arbitrary messages via a

modified URL, related to mod/lti/locallib.php and

mod/lti/return.php.

2014-11-24 5.0 CVE-2014-9060CONFIRMMLIST (link is external)

moxi9 -- phpfox Cross-site scripting (XSS) vulnerability in

Guests/Boots in AdminCP in Moxi9 PHPFox before 4

Beta allows remote attackers to inject arbitrary web

script or HTML via the User-Agent header.

2014-11-21 4.3 CVE-2014-8469XF (link is external)BID (link is external)EXPLOIT-DB (link is external)FULLDISCMISC (link is

external)

open-xchange --

open-

xchange_appsuite

SQL injection vulnerability in Open-Xchange (OX)

AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-

rev23 allows remote authenticated users to execute

arbitrary SQL commands via a crafted jslob API call.

2014-11-21 6.5 CVE-2014-7871XF (link is external)BID (link is external)BUGTRAQ (link is external)MISC (link is external)

openstack --

neutron

OpenStack Neutron before 2014.1.4 and 2014.2.x

before 2014.2.1 allows remote authenticated users

to cause a denial of service (crash) via a crafted

dns_nameservers value in the DNS configuration.

2014-11-24 4.0 CVE-2014-7821XF (link is external)SECUNIA (link is external)

openswan --

openswan

Openswan 2.6.40 allows remote attackers to cause a

denial of service (NULL pointer dereference and IKE

daemon restart) via IKEv2 packets that lack

expected payloads. NOTE: this vulnerability exists

because of an incomplete fix for CVE 2013-6466.

2014-11-26 5.0 CVE-2014-2037BID (link is external)MLIST (link is external)MLIST (link is external)

openvpn --

openvpn_access_se

rver

Multiple cross-site request forgery (CSRF)

vulnerabilities in the XML-RPC API in the Desktop

Client in OpenVPN Access Server 1.5.6 and earlier

allow remote attackers to hijack the authentication

of administrators for requests that (1)

disconnecting established VPN sessions, (2) connect

to arbitrary VPN servers, or (3) create VPN profiles

and execute arbitrary commands via crafted API

requests.

2014-11-26 6.8 CVE-2014-9104MISC (link is external)MISC (link is external)BUGTRAQ (link is external)FULLDISC

oracle --

database_server

Unspecified vulnerability in the JPublisher

component in Oracle Database Server 11.1.0.7,

11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows

remote authenticated users to affect confidentiality

via unknown vectors, a different vulnerability than

CVE-2014-4290, CVE-2014-4291, CVE-2014-4292,

CVE-2014-4293, CVE-2014-4296, CVE-2014-4297,

CVE-2014-4310, and CVE-2014-6547. NOTE: this

issue was originally mapped to CVE-2014-4301, but

CVE-2014-4301 is for an unrelated vulnerability.

2014-11-23 6.8 CVE-2014-6477

paidmembershipspr

o --

Directory traversal vulnerability in

services/getfile.php in the Paid Memberships Pro

2014-11-28 5.0 CVE-2014-8801XF (link is external)

paid_memberships

_pro

plugin before 1.7.15 for WordPress allows remote

attackers to read arbitrary files via a .. (dot dot) in

the QUERY_STRING in a getfile action to wp-

admin/admin-ajax.php.

BID (link is external)EXPLOIT-DB (link is external)MISC (link is external)MISC (link is external)

polarssl -- polarssl PolarSSL 1.3.8 does not properly negotiate the

signature algorithm to use, which allows remote

attackers to conduct downgrade attacks via

unspecified vectors.

2014-11-24 5.0 CVE-2014-8627SECUNIA (link is external)SUSE

redhat -- resteasy DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does

not configure the (1) external-general-entities or (2)

external-parameter-entities features, which allows

remote attackers to conduct XML external entity

(XXE) attacks via unspecified vectors.

2014-11-25 6.4 CVE-2014-7839SECUNIA (link is external)

redhat -- freeipa Cross-site scripting (XSS) vulnerability in the Web UI

in FreeIPA 4.x before 4.1.2 allows remote attackers

to inject arbitrary web script or HTML via vectors

related to breadcrumb navigation.

2014-11-28 4.3 CVE-2014-7850

ruby-lang -- ruby The REXML parser in Ruby 1.9.x before 1.9.3

patchlevel 551, 2.0.x before 2.0.0 patchlevel 598,

and 2.1.x before 2.1.5 allows remote attackers to

cause a denial of service (CPU and memory

consumption) a crafted XML document containing

an empty string in an entity that is used in a large

number of nested entity references, aka an XML

Entity Expansion (XEE) attack. NOTE: this

vulnerability exists because of an incomplete fix for

CVE-2013-1821 and CVE-2014-8080.

2014-11-21 5.0 CVE-2014-8090

siemens --

simatic_pcs7

The WinCC server in Siemens SIMATIC WinCC 7.0

through SP3, 7.2 before Update 9, and 7.3 before

Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0

through SP2, and 8.1; and TIA Portal 13 before

Update 6 allows remote attackers to read arbitrary

files via crafted packets.

2014-11-26 5.0 CVE-2014-8552

simple_email_form

_project --

simple_email_form

Cross-site scripting (XSS) vulnerability in Simple

Email Form 1.8.5 and earlier allows remote

attackers to inject arbitrary web script or HTML via

2014-11-21 4.3 CVE-2014-8539MISC (link is external)BID (link is

the mod_simpleemailform_field2_1 parameter to

index.php.

external)BUGTRAQ (link is external)MISC (link is external)

skalfa -- oxwall Multiple cross-site request forgery (CSRF)

vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906)

and SkaDate Lite 2.0 (build 7651) allow remote

attackers to hijack the authentication of

administrators for requests that conduct cross-site

scripting (XSS) attacks or possibly have other

unspecified impact via the (1) label parameter to

admin/users/roles/, (2) lang[1][base]

[questions_account_type_5615100a931845eca8da

20cfdf7327e0] in an AddAccountType action or (3)

qst_name parameter in an addQuestion action to

admin/questions/ajax-responder/, or (4)

form_name or (5) restrictedUsername parameter to

admin/restricted-usernames.

2014-11-26 6.8 CVE-2014-9101MISC (link is external)MISC (link is external)BID (link is external)EXPLOIT-DB (link is external)MISC (link is external)MISC (link is external)OSVDBOSVDBOSVDBOSVDB

squid-cache -- squid The pinger in Squid 3.x before 3.4.8 allows remote

attackers to obtain sensitive information or cause a

denial of service (out-of-bounds read and crash) via

a crafted type in an (1) ICMP or (2) ICMP6 packet.

2014-11-26 6.4 CVE-2014-7141CONFIRM (linkis external)MLISTMLISTMLIST

squid-cache -- squid The pinger in Squid 3.x before 3.4.8 allows remote

attackers to obtain sensitive information or cause a

denial of service (crash) via a crafted (1) ICMP or (2)

ICMP6 packet size.

2014-11-26 6.4 CVE-2014-7142CONFIRM (linkis external)MLISTMLISTMLIST

ubuntu -- apparmor apparmor_parser in the apparmor package before

2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows

attackers to bypass AppArmor policies via

unspecified vectors, related to a "miscompilation

flaw."

2014-11-24 6.4 CVE-2014-1424

whydowork_adsens

e_project --

whydowork_adsens

e

Cross-site request forgery (CSRF) vulnerability in the

WhyDoWork AdSense plugin 1.2 for WordPress

allows remote attackers to hijack the authentication

of administrators for requests that have unspecified

impact via a request to the whydowork_adsense

page in wp-admin/options-general.php.

2014-11-26 6.8 CVE-2014-9099BID (link is external)MISC (link is external)

whydowork_adsens

e_project --

whydowork_adsens

e

Cross-site scripting (XSS) vulnerability in the

WhyDoWork AdSense plugin 1.2 for WordPress

allows remote attackers to inject arbitrary web

script or HTML via the idcode parameter in the

whydowork_adsense page to wp-admin/options-

general.php.

2014-11-26 4.3 CVE-2014-9100BID (link is external)MISC (link is external)

wireshark --

wireshark

The decompress_sigcomp_message function in

epan/sigcomp-udvm.c in the SigComp UDVM

dissector in Wireshark 1.10.x before 1.10.11 allows

remote attackers to cause a denial of service (buffer

over-read and application crash) via a crafted

packet.

2014-11-22 5.0 CVE-2014-8710CONFIRMCONFIRM

wireshark --

wireshark

Multiple integer overflows in

epan/dissectors/packet-amqp.c in the AMQP

dissector in Wireshark 1.10.x before 1.10.11 and

1.12.x before 1.12.2 allow remote attackers to cause

a denial of service (application crash) via a crafted

amqp_0_10 PDU in a packet.

2014-11-22 5.0 CVE-2014-8711CONFIRMCONFIRMCONFIRM

wireshark --

wireshark

The build_expert_data function in

epan/dissectors/packet-ncp2222.inc in the NCP

dissector in Wireshark 1.10.x before 1.10.11 and

1.12.x before 1.12.2 does not properly initialize a

data structure, which allows remote attackers to

cause a denial of service (application crash) via a

crafted packet.

2014-11-22 5.0 CVE-2014-8712CONFIRMCONFIRM

wireshark --

wireshark

Stack-based buffer overflow in the

build_expert_data function in

epan/dissectors/packet-ncp2222.inc in the NCP

dissector in Wireshark 1.10.x before 1.10.11 and

1.12.x before 1.12.2 allows remote attackers to

cause a denial of service (application crash) via a

crafted packet.

2014-11-22 5.0 CVE-2014-8713CONFIRMCONFIRM

wireshark --

wireshark

The dissect_write_structured_field function in

epan/dissectors/packet-tn5250.c in the TN5250

dissector in Wireshark 1.10.x before 1.10.11 and

1.12.x before 1.12.2 allows remote attackers to

cause a denial of service (infinite loop) via a crafted

packet.

2014-11-22 5.0 CVE-2014-8714CONFIRMCONFIRMCONFIRM

wordpress --

wordpress

Cross-site scripting (XSS) vulnerability in the

wptexturize function in WordPress before 3.7.5,

3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows

remote attackers to inject arbitrary web script or

HTML via crafted use of shortcode brackets in a text

field, as demonstrated by a comment or a post.

2014-11-25 4.3 CVE-2014-9031MLIST (link is external)MISC (link is external)

wordpress --

wordpress

Cross-site scripting (XSS) vulnerability in the media-

playlists feature in WordPress before 3.9.x before

3.9.3 and 4.x before 4.0.1 allows remote attackers to

inject arbitrary web script or HTML via unspecified

vectors.

2014-11-25 4.3 CVE-2014-9032MLIST (link is external)

wordpress --

wordpress

Cross-site request forgery (CSRF) vulnerability in

wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and

4.0 allows remote attackers to hijack the

authentication of arbitrary users for requests that

reset passwords.

2014-11-25 6.8 CVE-2014-9033MLIST (link is external)

wordpress --

wordpress

wp-includes/class-phpass.php in WordPress before

3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x

before 4.0.1 allows remote attackers to cause a

denial of service (CPU consumption) via a long

password that is improperly handled during

hashing, a similar issue to CVE-2014-9016.

2014-11-25 5.0 CVE-2014-9034MLIST (link is external)

wordpress --

wordpress

Cross-site scripting (XSS) vulnerability in Press This

in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x

before 3.9.3, and 4.x before 4.0.1 allows remote

attackers to inject arbitrary web script or HTML via

unspecified vectors.

2014-11-25 4.3 CVE-2014-9035MLIST (link is external)

wordpress --

wordpress

Cross-site scripting (XSS) vulnerability in WordPress

before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3,

and 4.x before 4.0.1 allows remote attackers to

inject arbitrary web script or HTML via a crafted

Cascading Style Sheets (CSS) token sequence in a

post.

2014-11-25 4.3 CVE-2014-9036MLIST (link is external)

wordpress --

wordpress

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x

before 3.9.3, and 4.x before 4.0.1 might allow

remote attackers to obtain access to an account idle

since 2008 by leveraging an improper PHP dynamic

type comparison for an MD5 hash.

2014-11-25 6.8 CVE-2014-9037MLIST (link is external)

wordpress --

wordpress

wp-includes/http.php in WordPress before 3.7.5,

3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before

4.0.1 allows remote attackers to conduct server-side

request forgery (SSRF) attacks by referring to a

127.0.0.0/8 resource.

2014-11-25 6.4 CVE-2014-9038MLIST (link is external)

wordpress --

wordpress

wp-login.php in WordPress before 3.7.5, 3.8.x

before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1

might allow remote attackers to reset passwords by

leveraging access to an e-mail account that

received a password-reset message.

2014-11-25 4.3 CVE-2014-9039MLIST (link is external)

xavoc -- xepan_cms Cross-site request forgery (CSRF) vulnerability in

Xavoc Technocrats xEpan CMS 1.0.4.1, 1.0.4, 1.0.1,

and earlier allows remote attackers to hijack the

authentication of administrators for requests that

create new administrative accounts via a crafted

request to the owner/users page.

2014-11-28 6.8 CVE-2014-8429MISC (link is external)BUGTRAQ (link is external)

Low Severity Vulnerabilities

The Primary Vendor --- Product

Description Date Published CVSSScore

The CVE Identity

apptha --

contus_video_galle

ry

Multiple cross-site scripting (XSS) vulnerabilities in

the Apptha WordPress Video Gallery (contus-video-

gallery) plugin 2.5, possibly before 2014-07-23, for

WordPress allow remote authenticated users to

inject arbitrary web script or HTML via the

videoadssearchQuery parameter to (1)

videoads/videoads.php, (2) video/video.php, or (3)

playlist/playlist.php.

2014-11-26 3.5 CVE-2014-9098BID (link is external)MISC (link is external)

check_diskio_proje

ct -- check_diskio

The check_diskio plugin 3.2.6 and earlier for Nagios

and Icinga allows local users to write to arbitrary files

via a symlink attack on a temporary file with a

predictable name (tmp/check_diskio_status-*-*).

2014-11-28 3.6 CVE-2014-8994XF (link is external)BID (link is external)MLISTMLIST

ibm --

websphere_portal

Cross-site scripting (XSS) vulnerability in IBM

WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x

through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02

allows remote authenticated users to inject arbitrary

web script or HTML via a crafted URL.

2014-11-25 3.5 CVE-2014-6093XF (link is external)

liferay --

liferay_portal

Cross-site scripting (XSS) vulnerability in Liferay

Portal Enterprise Edition (EE) 6.2 SP8 and earlier

allows remote authenticated users to inject arbitrary

web script or HTML via the _20_body parameter in

the comment field in an uploaded file.

2014-11-24 3.5 CVE-2014-8349FULLDISCMISC (link is external)

mantisbt --

mantisbt

Cross-site scripting (XSS) vulnerability in the

selection list in the filters in the Configuration Report

page (adm_config_report.php) in MantisBT 1.2.13

through 1.2.17 allows remote administrators to

inject arbitrary web script or HTML via a crafted

config option, a different vulnerability than CVE-

2014-8987.

2014-11-24 3.5 CVE-2014-8986MLIST (link is external)MLIST (link is external)MLIST (link is external)MLIST (link is external)

moodle -- moodle Cross-site scripting (XSS) vulnerability in 2014-11-24 3.5 CVE-2014-7830

mod/feedback/mapcourse.php in the Feedback

module in Moodle through 2.4.11, 2.5.x before 2.5.9,

2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows

remote authenticated users to inject arbitrary web

script or HTML by leveraging the

mod/feedback:mapcourse capability to provide a

searchcourse parameter.

MLIST (link is external)CONFIRM

moodle -- moodle webservice/upload.php in Moodle 2.6.x before 2.6.6

and 2.7.x before 2.7.3 does not ensure that a file

upload is for a private or draft area, which allows

remote authenticated users to upload files

containing JavaScript, and consequently conduct

cross-site scripting (XSS) attacks, by specifying the

profile-picture area.

2014-11-24 2.1 CVE-2014-7835CONFIRMMLIST (link is external)CONFIRM

python -- pip pip 1.3 through 1.5.6 allows local users to cause a

denial of service (prevention of package installation)

by creating a /tmp/pip-build-* file for another user.

2014-11-24 2.1 CVE-2014-8991CONFIRM (linkis external)CONFIRMBID (link is external)MLIST (link is external)MLIST (link is external)

• Sources: http://nvd.nist.gov (For more information visit the National Vulnerabilities Database (NVD) which

contains a database of every vulnerability that has ever been published).

Uganda Communications Commission – UGCERTEmail: info@ug-cert.ug Tel + 256 414 302 100/150 Toll Free: 0800 133 911

Website www.ug-cert.ug Face book / Twitter: UGCERT