Page 105 of 680 results (0.011 seconds)

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 1

CVE-2014-3594 – openstack-horizon: persistent XSS in Horizon Host Aggregates interface

https://notcve.org/view.php?id=CVE-2014-3594

Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. Vulnerabilidad de XSS en la interfaz Host Aggregates en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-3 permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de agregado de anfitrión nuevo. A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://rhn.redhat.com/errata/RHSA-2014-1335.html http://rhn.redhat.com/errata/RHSA-2014-1336.html http://seclists.org/oss-sec/2014/q3/413 http://www.securityfocus.com/bid/69291 https://bugs.launchpad.net/horizon/+bug/1349491 https://exchange.xforce.ibmcloud.com/vulnerabilities/95378 https://review.openstack.org/#/c/115310 https://review.openstack.org/#/c/115311 https://review.openstack.org/# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 4EXPL: 2

CVE-2014-5025

https://notcve.org/view.php?id=CVE-2014-5025

Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. Vulnerabilidad de XSS en data_sources.php en Cacti 0.8.8b permite a usuarios remotos autenticados con acceso a la consola inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro name_cache en una acción ds_edit. • http://bugs.cacti.net/view.php?id=2456 http://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html http://www.debian.org/security/2014/dsa-3007 http://www.openwall.com/lists/oss-security/2014/07/22/9 http://www.securityfocus.com/bid/68759 https://exchange.xforce.ibmcloud.com/vulnerabilities/94814 https://security.gentoo.org/glsa/201509-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 4EXPL: 2

CVE-2014-5026

https://notcve.org/view.php?id=CVE-2014-5026

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. Múltiples vulnerabilidades de XSS en Cacti 0.8.8b permiten a usuarios remotos autenticados con acceso a la consola inyectar secuencias de comandos web o HTML arbitrarios a través de (1) un título de árbol de gráfico en una acción de eliminación o (2) de editar; (3) CDEF Name, (4) Data Input Method Name, o (5) Host Templates Name en una acción de eliminación; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name en una acción de eliminación o (9) duplicar. • http://bugs.cacti.net/view.php?id=2456 http://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html http://seclists.org/oss-sec/2014/q3/244 http://www.debian.org/security/2014/dsa-3007 http://www.openwall.com/lists/oss-security/2014/07/22/9 http://www.securityfocus.com/bid/68759 https://exchange.xforce.ibmcloud.com/vulnerabilities/94816 https://security.gentoo.org/glsa/201509-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.0EPSS: 0%CPEs: 103EXPL: 0

CVE-2014-3528 – subversion: credentials leak via MD5 collision

https://notcve.org/view.php?id=CVE-2014-3528

Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. Apache Subversion 1.0.0 hasta 1.7.x anterior a 1.7.17 y 1.8.x anterior a 1.8.10 utiliza un hash MD5 de la URL y el reino (realm) de la autenticación para almacenar las credenciales de caché, lo que facilita a servidores remotos obtener credenciales a través de un reino (realm) de la autenticación manipulado. It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm. • http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html http://rhn.redhat.com/errata/RHSA-2015-0165.html http://rhn.redhat.com/errata/RHSA-2015-0166.html http://secunia.com/advisories/59432 http://secunia.com/advisories/59584 http://secunia.com/advisories/60722 http://subversion.apache.org/security/CVE-2014-3528-advisory.txt http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html ht • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-255: Credentials Management Errors •

CVSS: 4.0EPSS: 0%CPEs: 72EXPL: 0

CVE-2014-3522

https://notcve.org/view.php?id=CVE-2014-3522

The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. La capa Serf RA en Apache Subversion 1.4.0 hasta 1.7.x anterior a 1.7.18 y 1.8.x anterior a 1.8.10 no maneja debidamente los comodines (wildcards) en el campo Common Name (CN) o subjectAltName de un certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores a través de un certificado manipulado. • http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html http://secunia.com/advisories/59432 http://secunia.com/advisories/59584 http://secunia.com/advisories/60100 http://secunia.com/advisories/60722 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html http://www.osvdb.org/109996 http://www.securityfocus.com/bid/69237 http://www.ubuntu.com/usn/USN-2316-1 https://exchange • CWE-297: Improper Validation of Certificate with Host Mismatch •