CVSS: 5.9EPSS: 0%CPEs: 7EXPL: 1CVE-2014-4616 – python: missing boundary check in JSON module
https://notcve.org/view.php?id=CVE-2014-4616
Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function. Un error de índice de matriz en la función scanstring en el módulo the _json en Python 2.7 en su versión 3.5 y simplejson en su versión 2.6.1 permite que atacantes dependientes del contexto lean archivos arbitrarios de la memoria de proceso mediante un valor de índice negativo en el argumento idx en la función raw_decode function. A flaw was found in the way the json module handled negative index argument passed to certain functions (such as raw_decode()). An attacker able to control index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. • http://bugs.python.org/issue21529 http://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html http://openwall.com/lists/oss-security/2014/06/24/7 http://rhn.redhat.com/errata/RHSA-2015-1064.html http://www.securityfocus.com/bid/68119 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395 https://bugzilla.redhat.com/show_bug.cgi?id=1112285 https://hackerone.com/reports/12297 https://security.gentoo.org/glsa/201503-10 https://access.redhat.com/security/cve/CV • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-129: Improper Validation of Array Index •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-4002
https://notcve.org/view.php?id=CVE-2014-4002
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php. Múltiples vulñnerabilidades de XSS en Cacti 0.8.8b permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) drp_action en cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php o (9) host_templates.php o el parámetro (10) graph_template_input_id o (11) graph_template_id en graph_templates_inputs.php. • http://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html http://secunia.com/advisories/59203 http://secunia.com/advisories/59517 http://svn.cacti.net/viewvc?view=rev&revision=7451 http://svn.cacti.net/viewvc?view=rev&revision=7452 http://www.debian.org/security/2014/dsa-2970 http://www.securityfocus.com/bid/68257 https://security.gentoo.org/glsa/201509-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 1CVE-2014-3494
https://notcve.org/view.php?id=CVE-2014-3494
kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate. kio/usernotificationhandler.cpp en POP3 kioslave en kdelibs 4.10.95 anterior a 4.13.3 no genera debidamente notificaciones de aviso, lo que permite a atacantes man-in-the-middle obtener información sensible a través de un certificado inválido. • http://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228f http://www.kde.org/info/security/advisory-20140618-1.txt http://www.securityfocus.com/bid/68113 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 1%CPEs: 64EXPL: 0CVE-2014-4617
https://notcve.org/view.php?id=CVE-2014-4617
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. La función do_uncompress en g10/compress.c en GnuPG 1.x anterior a 1.4.17 y 2.x anterior a 2.0.24 permite a atacantes dependientes de contexto causar una denegación de servicio (bucle infinito) a través de paquetes comprimidos malformados, tal y como fue demostrado por una secuencia de bytes a3 01 5b ff. • http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=014b2103fcb12f261135e3954f26e9e07b39e342 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html http://lists.opensuse.org/opensuse-updates/2014-07/msg00010.html http://secunia.com/advisories/59213 http://secunia.com/advisories/59351 http://secunia.com/ad • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 1%CPEs: 7EXPL: 0CVE-2014-0247 – libreoffice: VBA macros executed unconditionally
https://notcve.org/view.php?id=CVE-2014-0247
LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possibly related to doc/docmacromode.cxx. LibreOffice 4.2.4 ejecuta macros VBA no especificados automáticamente, lo que tiene un impacto y vectores de ataque no especificados, posiblemente relacionado con doc/docmacromode.cxx. It was found that LibreOffice documents executed macros unconditionally, without user approval, when these documents were opened using LibreOffice. An attacker could use this flaw to execute arbitrary code as the user running LibreOffice by embedding malicious VBA scripts in the document as macros. • http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135020.html http://lists.opensuse.org/opensuse-updates/2014-07/msg00006.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0247.html http://rhn.redhat.com/errata/RHSA-2015-0377.html http://secunia.com/advisories/57383 http://secunia.com/advisories/59330 http://secunia.com/advisories/60799 http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml http://www.securityfocus.com/bid/68151 http:&#x • CWE-356: Product UI does not Warn User of Unsafe Actions •