CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2014-6331
https://notcve.org/view.php?id=CVE-2014-6331
Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability." Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, y 3.0, cuando a un SAML Relying Party configurado le falta un cierre de sesión del endpoint, no procesa debidamente las acciones logoff, lo que facilita a atacantes remotos obtener acceso mediante el aprovechamiento de una estación de trabajo desatendida, también conocido como 'vulnerabilidad de divulgación de información de Microsoft Active Directory Federation Services' • http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspx http://www.securityfocus.com/bid/70938 http://www.securitytracker.com/id/1031195 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-077 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-1816
https://notcve.org/view.php?id=CVE-2014-1816
Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly restrict the information transmitted by Internet Explorer during a download action, which allows remote attackers to discover (1) full pathnames on the client system and (2) local usernames embedded in these pathnames via a crafted web site, aka "MSXML Entity URI Vulnerability." Microsoft XML Core Services (también conocido como MSXML) 3.0 y 6.0 no restringe debidamente la información transmitida por Internet Explorer durante una acción de descarga, lo que permite a atacantes remotos descubrir (1) nombres completos de rutas en el sistema del cliente y (2) nombres de usuarios locales embebidos en estos nombres de rutas a través de un sitio web manipulado, también conocido como 'Vulnerabilidad de URI de la Entidad MSXML.' • http://blogs.technet.com/b/srd/archive/2014/06/10/assessing-risk-for-the-june-2014-security-updates.aspx http://secunia.com/advisories/58538 http://www.securityfocus.com/bid/67895 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-033 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.0EPSS: 2%CPEs: 24EXPL: 0CVE-2014-0251
https://notcve.org/view.php?id=CVE-2014-0251
Microsoft Windows SharePoint Services 3.0 SP3; SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1; SharePoint Foundation 2010 SP1 and SP2 and 2013 Gold and SP1; Project Server 2010 SP1 and SP2 and 2013 Gold and SP1; Web Applications 2010 SP1 and SP2; Office Web Apps Server 2013 Gold and SP1; SharePoint Server 2013 Client Components SDK; and SharePoint Designer 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1 allow remote authenticated users to execute arbitrary code via crafted page content, aka "SharePoint Page Content Vulnerability." Microsoft Windows SharePoint Services 3.0 SP3; SharePoint Server 2007 SP3, 2010 SP1 y SP2 y 2013 Gold y SP1; SharePoint Foundation 2010 SP1 y SP2 y 2013 Gold y SP1; Project Server 2010 SP1 y SP2 y 2013 Gold y SP1; Web Applications 2010 SP1 y SP2; Office Web Apps Server 2013 Gold y SP1; SharePoint Server 2013 Client Components SDK y SharePoint Designer 2007 SP3, 2010 SP1 y SP2 y 2013 Gold y SP1 permiten a usuarios remotos autenticados ejecutar código arbitrario a través de contenido manipulado de una página, también conocido como 'vulnerabilidad de contenido de página de SharePoint.' • http://www.securitytracker.com/id/1030227 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-022 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 79%CPEs: 22EXPL: 1CVE-2013-1315
https://notcve.org/view.php?id=CVE-2013-1315
Microsoft SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013; Office Web Apps 2010; Excel 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office for Mac 2011; Excel Viewer; and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability." Microsoft SharePoint Server 2007 SP3, 2010 SP1 y SP2, y 2013; Office Web Apps 2010; Excel 2003 SP3, 2007 SP3, 2010 SP1 y SP2, 2013, y 2013 RT; Office para Mac 2011; Excel Viewer; y Office Compatibility Pack SP3 permiten a un atacante remoto ejecutar código a discrección o causar una denegación de servicio (corrupción de memoria), a través de un documento Office manipulado, tambien conocida como "Vulnerabilidad de Corrupción de Memoria en Microsoft Office". • http://www.us-cert.gov/ncas/alerts/TA13-253A https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-067 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-073 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18333 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18543 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18950 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 27%CPEs: 6EXPL: 1CVE-2013-3179 – Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling (MS13-067)
https://notcve.org/view.php?id=CVE-2013-3179
Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "SharePoint XSS Vulnerability." Vulnerabilidad XSS en Microsoft SharePoint Server 2007 SP3, 2010 SP1 y SP2, y 2013 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de una petición manipulada. Aka "SharePoint XSS Vulnerability." • https://www.exploit-db.com/exploits/28238 http://www.us-cert.gov/ncas/alerts/TA13-253A https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-067 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18750 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •