CVSS: 1.9EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2893
https://notcve.org/view.php?id=CVE-2014-2893
The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names. La función GetHTMLRunDir en la utilidad scan-build en Clang 3.5 y anteriores permite a usuarios locales obtener información sensible o sobreescribir archivos arbitrarios a través de un ataque symlink sobre directorios temporales con nombres previsibles. • http://lists.opensuse.org/opensuse-updates/2015-02/msg00038.html http://www.openwall.com/lists/oss-security/2014/04/16/2 http://www.openwall.com/lists/oss-security/2014/04/20/1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2014-2554
https://notcve.org/view.php?id=CVE-2014-2554
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. OTRS 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a atacantes remotos realizar ataques de clickjacking a través de un elemento IFRAME. • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html http://www.otrs.com/security-advisory-2014-05-clickjacking-issue • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-0157 – openstack-horizon: XSS in Horizon orchestration dashboard when using a malicious template
https://notcve.org/view.php?id=CVE-2014-0157
Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template. Vulnerabilidad de XSS en el dashboard de Horizon Orchestration en OpenStack Dashboard (también conocido como Horizon) 2013.2 anterior a 2013.2.4i y icehouse before icehouse-rc2 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del campo descripción de una plantilla Heat. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/04/08/8 http://www.securityfocus.com/bid/66706 https://launchpad.net/bugs/1289033 https://access.redhat.com/security/cve/CVE-2014-0157 https://bugzilla.redhat.com/show_bug.cgi?id=1082858 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2014-1716
https://notcve.org/view.php?id=CVE-2014-1716
Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype function in runtime.cc in Google V8, as used in Google Chrome before 34.0.1847.116, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)." Vulnerabilidad de XSS en la función Runtime_SetPrototype en runtime.cc en Google V8, utilizado en Google Chrome anterior a 34.0.1847.116, permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de vectores no especificados, también conocido como "Universal XSS (UXSS)." • http://googlechromereleases.blogspot.com/2014/04/stable-channel-update.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00012.html http://security.gentoo.org/glsa/glsa-201408-16.xml http://www.debian.org/security/2014/dsa-2905 https://code.google.com/p/chromium/issues/detail?id=354123 https://code.google.com/p/v8/source/detail?r=20138 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 97%CPEs: 54EXPL: 16CVE-2014-0160 – OpenSSL Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. Las implementaciones de (1) TLS y (2) DTLS en OpenSSL 1.0.1 en versiones anteriores a 1.0.1g no manejan adecuadamente paquetes Heartbeat Extension, lo que permite a atacantes remotos obtener información sensible desde la memoria de proceso a través de paquetes manipulados que desencadenan una sobrelectura del buffer, según lo demostrado mediante la lectura de claves privadas, relacionado con d1_both.c y t1_lib.c, también conocido como bug Heartbleed. An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. • https://www.exploit-db.com/exploits/32764 https://www.exploit-db.com/exploits/32791 https://www.exploit-db.com/exploits/32998 https://www.exploit-db.com/exploits/32745 https://github.com/0x90/CVE-2014-0160 https://github.com/jdauphant/patch-openssl-CVE-2014-0160 https://github.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC https://github.com/obayesshelton/CVE-2014-0160-Scanner https://github.com/MrE-Fog/CVE-2014-0160-Chrome-Plugin https://github.com/Xyl2k/CVE-2014&# • CWE-125: Out-of-bounds Read CWE-201: Insertion of Sensitive Information Into Sent Data •