CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4404 – cumin: missing authorization checks in forms, charts, and csv export widgets
https://notcve.org/view.php?id=CVE-2013-4404
18 Dec 2013 — cumin in Red Hat Enterprise MRG Grid 2.4 does not properly enforce user roles, which allows remote authenticated users to bypass intended role restrictions and obtain sensitive information or perform privileged operations via unspecified vectors. cumin en Red Hat Enterprise MRG Grid 2.4 no hace cumplir correctamente los roles de usuario, lo cual permite a usuarios autenticados remotamente sortear restricciones de rol intencionadas y obtener información sensible o ejecutar operaciones privilegiadas a través ... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=995038 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4405 – cumin: CSRF protection does not work
https://notcve.org/view.php?id=CVE-2013-4405
18 Dec 2013 — Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allow remote attackers to hijack the authentication of cumin users for unspecified requests. Múltiples vulnerabilidades cross-site request forgery (CSRF) en la interfaz web de cumin en Red Hat Enterprise MRG Grid 2.4 permite a atacantes remotos secuestrar la autenticación de usuarios cumin en peticiones no especificadas. Red Hat Enterprise MRG is a next-generation IT infrastructure fo... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=998561 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4414 – cumin: non-persistent XSS possible due to not escaping set limit form input
https://notcve.org/view.php?id=CVE-2013-4414
18 Dec 2013 — Cross-site scripting (XSS) vulnerability in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allows remote attackers to inject arbitrary web script or HTML via the "Max allowance" field in the "Set limit" form. Vulnerabilidad cross-site scripting (XSS) en la interfaz web de cumin en Red Hat Enterprise MRG Grid 2.4 permite a atacantes remotos inyectar scripts web o HTML arbitrarios a través del campo "Max allowance" en el formulario "Set limit". Red Hat Enterprise MRG is a next-generation IT in... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=998606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4461 – cumin: filtering table operator not checked, leads to potential SQLi
https://notcve.org/view.php?id=CVE-2013-4461
18 Dec 2013 — SQL injection vulnerability in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allows remote attackers to execute arbitrary SQL commands via vectors related to the "filtering table operator." Vulnerabilidad de inyección SQL en el interfaz web para "cumin" en Red Hat Enterprise MRG Grid 2.4 permite a atacantes remotos ejecutar comandos SQL a través de vectores relacionados con el "filtrado de la tabla de operador". Red Hat Enterprise MRG is a next-generation IT infrastructure for enterprise co... • http://rhn.redhat.com/errata/RHSA-2013-1851.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0CVE-2009-5136
https://notcve.org/view.php?id=CVE-2009-5136
11 Oct 2013 — The policy definition evaluator in Condor before 7.4.2 does not properly handle attributes in a WANT_SUSPEND policy that evaluate to an UNDEFINED state, which allows remote authenticated users to cause a denial of service (condor_startd exit) via a crafted job. La política de definición evaluadora en Condor anterior a la versión 7.4.2 no maneja adecuadamente atributos en una política WANT_SUSPEND que da como resultado un estado UNDEFINIED, lo que permite a usuarios remotos autenticados provocar una denegaci... • http://research.cs.wisc.edu/htcondor/manual/v7.6/8_5Stable_Release.html • CWE-20: Improper Input Validation •
CVSS: 5.8EPSS: 0%CPEs: 274EXPL: 0CVE-2013-4345 – kernel: ansi_cprng: off by one error in non-block size request
https://notcve.org/view.php?id=CVE-2013-4345
10 Oct 2013 — Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data. Error de superación en la función get_prng_bytes en crypto/ansi_cprng.c en el kernel de Linux hasta la versión 3.11.4 hace que sea más fácil para atacantes dependientes del contexto anular mecanism... • http://marc.info/?l=linux-crypto-vger&m=137942122902845&w=2 • CWE-189: Numeric Errors CWE-193: Off-by-one Error •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4284 – cumin: Denial of service due to improper handling of certain Ajax requests
https://notcve.org/view.php?id=CVE-2013-4284
01 Oct 2013 — Cumin, as used in Red Hat Enterprise MRG 2.4, allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted Ajax update request. Cumin, tal como se usa en Red Hat Enterprise MRG 2.4, permite a atacantes remotos provocar una denegación de servicio (CPU y consumo de memoria) a través de una petición de actualización Ajax manipulada. Red Hat Enterprise MRG is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interopera... • http://rhn.redhat.com/errata/RHSA-2013-1294.html • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 57%CPEs: 18EXPL: 5CVE-2013-1892 – MongoDB - nativeHelper.apply Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-1892
21 Aug 2013 — MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument. MongoDB anterior a v2.0.9 y v2.2.x anterior a v.2.4 no valida correctamente las peticiones de la función nativeHelper en SpiderMonkey, lo que permite a usuarios autenticados remotamente provocar una... • https://www.exploit-db.com/exploits/24935 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4255 – condor: condor_startd DoS when parsing policy definition that evaluates to ERROR or UNDEFINED
https://notcve.org/view.php?id=CVE-2013-4255
21 Aug 2013 — The policy definition evaluator in Condor 7.5.4, 8.0.0, and earlier does not properly handle attributes in a (1) PREEMPT, (2) SUSPEND, (3) CONTINUE, (4) WANT_VACATE, or (5) KILL policy that evaluate to an Unconfigured, Undefined, or Error state, which allows remote authenticated users to cause a denial of service (condor_startd exit) via a crafted job. La política de definición evaluadora en Condor 7.5.4, 8.0.0, y versiones anteriores no trata correctamente los atributos de una (1) PREEMPT, (2) SUSPEND, (3)... • http://rhn.redhat.com/errata/RHSA-2013-1171.html • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 17EXPL: 0CVE-2013-1909 – python-qpid: client does not validate qpid server TLS/SSL certificate
https://notcve.org/view.php?id=CVE-2013-1909
11 Jul 2013 — The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. El cliente Python en Apache Qpid anterior a v2.2 no verifica que el nombre del servidor coincide con un nombre de dominio en el nombre común del sujeto (CN) o el campo subjectAltName del certificado X.509, permitiendo a los... • http://qpid.apache.org/releases/qpid-0.22/release-notes.html • CWE-20: Improper Input Validation •