CVSS: 7.8EPSS: 5%CPEs: 8EXPL: 1CVE-2014-8503 – binutils: stack overflow in objdump when parsing specially crafted ihex file
https://notcve.org/view.php?id=CVE-2014-8503
09 Dec 2014 — Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file. Desbordamiento de buffer basado en pila en la función ihex_scan en bfd/ihex.c en GNU binutils 2.24 y anteriores permite a atacantes remotos causar una denegación de servicio (caída) y posiblemente tener otro impacto no especificado a través de un fichero ihex manipulado. A stack-ba... • http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 7.8EPSS: 2%CPEs: 8EXPL: 3CVE-2014-8504 – binutils: stack overflow in the SREC parser
https://notcve.org/view.php?id=CVE-2014-8504
09 Dec 2014 — Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file. Desbordamiento de buffer basado en pila en la función srec_scan en bfd/srec.c en GNU binutils 2.24 y anteriores permite a atacantes remotos causar una denegación de servicio (caída) y posiblemente tener orto impacto no especificado a través de un fichero manipulado. A stack-based buffer... • http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 3CVE-2014-8990 – Gentoo Linux Security Advisory 201702-05
https://notcve.org/view.php?id=CVE-2014-8990
05 Dec 2014 — default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename. default-rsyncssh.lua en Lsyncd 2.1.5 y anteriores permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres de shell en un nombre de fichero. A vulnerability in Lsyncd allows execution of arbitrary code. Versions less than 2.1.6 are affected. • http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-6494
https://notcve.org/view.php?id=CVE-2013-6494
02 Dec 2014 — fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a static name for its download cache, which allows local users to cause a denial of service (prevention of system updates). fedup 0.9.0 en Fedora 19, 20, y 21 utiliza un directorio temporal con un nombre estático para su caché de descarga, lo que permite a usuarios locales causar una denegación de servicio (prevención de actualizaciones del sistema). • http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141698.html • CWE-17: DEPRECATED: Code •
CVSS: 9.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-0334 – rubygem-bundler: 'bundle install' may install a gem from a source other than expected
https://notcve.org/view.php?id=CVE-2013-0334
31 Oct 2014 — Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. Bundler anterior a 1.7, cuando múltiples líneas de fuentes del máximo nivel están utilizadas, permite a atacantes remotos instalar gemas arbitrarias con el mismo nombre como otra gema en una fuente diferente. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to on... • http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.0EPSS: 94%CPEs: 147EXPL: 6CVE-2014-3566 – SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://notcve.org/view.php?id=CVE-2014-3566
15 Oct 2014 — The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. El protocolo SSL 3.0, utilizado en OpenSSL hasta 1.0.1i y otros productos, utiliza relleno (padding) CBC no determinístico, lo que facilita a los atacantes man-in-the-middle obtener datos de texto plano a través de un ataque de relleno (padding) oracle, también conocid... • https://github.com/mikesplain/CVE-2014-3566-poodle-cookbook • CWE-310: Cryptographic Issues CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVSS: 9.8EPSS: 4%CPEs: 8EXPL: 1CVE-2014-6394 – Apple Security Advisory 2015-09-16-2
https://notcve.org/view.php?id=CVE-2014-6394
08 Oct 2014 — visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory. visionmedia send anterior a 0.8.4 para Node.js utiliza una comparación parcial para verificar si un directorio está dentro del root del documento, lo que permite a atacantes remotos acceder a directorios restringidos, tal y como fue demostrado med... • http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 207EXPL: 0CVE-2014-1571 – Bugzilla Account Creation / XSS / Information Leak
https://notcve.org/view.php?id=CVE-2014-1571
07 Oct 2014 — Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template. Bugzilla 2.x hasta 4.0.x anterior a 4.0.15, 4.1.x y 4.2.x anterior a 4.2.11, 4.3.x y 4.4.x anterior a 4.4.6, y 4.5.x anterior a 4.5.6 permite a usuarios remotos autenticados obtener información sensible de comenta... • http://advisories.mageia.org/MGASA-2014-0412.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 207EXPL: 0CVE-2014-1572 – Bugzilla Account Creation / XSS / Information Leak
https://notcve.org/view.php?id=CVE-2014-1572
07 Oct 2014 — The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group pri... • http://advisories.mageia.org/MGASA-2014-0412.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 207EXPL: 0CVE-2014-1573 – Bugzilla Account Creation / XSS / Information Leak
https://notcve.org/view.php?id=CVE-2014-1573
07 Oct 2014 — Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-site scripting (XSS) attacks by sending three values for a single parameter name. Bugzilla 2.x hasta 4.0.x anterior a 4.0.15, 4.1.x y 4.2.x anterior a 4.2.11, 4.3.x y 4.4.x anterior a 4.4.6, y 4.5.x anterior a 4.5.6 no asegura que se utilice un contexto escalar par... • http://advisories.mageia.org/MGASA-2014-0412.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •