CVSS: 4.3EPSS: 0%CPEs: 43EXPL: 0CVE-2014-3730
https://notcve.org/view.php?id=CVE-2014-3730
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." La función django.util.http.is_safe_url en Django 1.4 anterior a 1.4.13, 1.5 anterior a 1.5.8, 1.6 anterior a 1.6.5 y 1.7 anterior a 1.7b4 no valida debidamente URLs, lo que permite a atacantes remotos realizar ataques de redirección abierta a través de una URL malformada, tal y como fue demostrado por 'http:\\\djangoproject.com.' • http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html http://secunia.com/advisories/61281 http://ubuntu.com/usn/usn-2212-1 http://www.debian.org/security/2014/dsa-2934 http://www.openwall.com/lists/oss-security/2014/05/14/10 http://www.openwall.com/lists/oss-security/2014/05/15/3 http://www.securityfocus.com/bid/67410 https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2014-1909
https://notcve.org/view.php?id=CVE-2014-1909
Integer signedness error in system/core/adb/adb_client.c in Android Debug Bridge (ADB) for Android 4.4 in the Android SDK Platform Tools 18.0.1 allows ADB servers to execute arbitrary code via a negative length value, which bypasses a signed comparison and triggers a stack-based buffer overflow. Error de signo de enteros en system/core/adb/adb_client.c en Android Debug Bridge (ADB) para Android 4.4 en las herramientas de plataforma de Android SDK 18.0.1 permite a servidores ADB ejecutar código arbitrario a través de un valor de longitud negativo, lo que evade una comparación de signo y provoca un desbordamiento de buffer basado en pila. • http://lists.opensuse.org/opensuse-updates/2014-05/msg00038.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00039.html http://seclists.org/oss-sec/2014/q1/291 http://www.securityfocus.com/bid/65403 https://exchange.xforce.ibmcloud.com/vulnerabilities/91291 • CWE-189: Numeric Errors •
CVSS: 3.3EPSS: 0%CPEs: 29EXPL: 0CVE-2014-1934
https://notcve.org/view.php?id=CVE-2014-1934
tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file. tag.py en eyeD3 (también conocido como python-eyed3) 7.0.3, 0.6.18 y anteriores para Python permite a usuarios locales modificar archivos arbitrarios a través de un ataque de enlace simbólico sobre un archivo temporal. • http://lists.opensuse.org/opensuse-updates/2014-05/msg00027.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00028.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737062 https://bugzilla.redhat.com/show_bug.cgi?id=1063671 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 4.3EPSS: 1%CPEs: 8EXPL: 0CVE-2014-0190
https://notcve.org/view.php?id=CVE-2014-0190
The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image. El decodificador GIF en QtGui en Qt anterior a 5.3 permite a atacantes remotos causar una denegación de servicio (referencia a puntero nulo) a través de valores de ancho y alto inválidos en un imagen GIF. • http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134040.html http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134141.html http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132395.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html http://lists.qt-project.org/pipermail/announce/2014-April/000045.html http://www.securityfocus.com/bid/67087 http://www.ubuntu.com/usn/USN-2626-1 https://bugs.kde.org/show_bug.cgi?id=33340 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 19%CPEs: 4EXPL: 4CVE-2014-2913 – NRPE 2.15 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-2913
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments ** DISPUTADA ** Vulnerabilidad de lista negra incompleta en nrpe.c en Nagios Remote Plugin Executor (NRPE) 2.15 y anteriores permite a atacantes remotos ejecutar comandos arbitrarios a través de un caracter de nueva línea en la opción -a hacia libexec/check_nrpe. NOTA: este problema está en disputa por partes múltiples. • https://www.exploit-db.com/exploits/34461 https://www.exploit-db.com/exploits/32925 http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html http://seclists.org/fulldisclosure/2014/Apr/240 http://seclists.org/fulldisclosure/2014/Apr/242 http://seclists.org/os •