CVSS: 10.0EPSS: 91%CPEs: 22EXPL: 0CVE-2014-0457 – Oracle Java ScriptEngineManager Sandbox Bypass Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-0457
Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Vulnerabilidad sin especificar en Oracle Java SE 5.0u61, SE 6u71, 7u51, y 8; JRockit R27.8.1 y R28.3.1; y Java SE Embedded 7u51 permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con las librerías. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within ScriptEngineManager. With the usage of this class, it is possible to disable the security manager and run code as privileged. • http://marc.info/?l=bugtraq&m=140852974709252&w=2 http://rhn.redhat.com/errata/RHSA-2014-0675.html http://rhn.redhat.com/errata/RHSA-2014-0685.html http://secunia.com/advisories/58415 http://secunia.com/advisories/58974 http://secunia.com/advisories/59058 http://security.gentoo.org/glsa/glsa-201406-32.xml http://security.gentoo.org/glsa/glsa-201502-12.xml http://www-01.ibm.com/support/docview.wss?uid=swg21672080 http://www-01.ibm.com/support/docview.wss?uid= •
CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 0CVE-2014-0432 – Oracle Java permuteArguments Sandbox Bypass Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-0432
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0455 and CVE-2014-2402. Vulnerabilidad no especificada en Oracle Java SE 7u51 y 8, y Java SE Embedded 7u51, que permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con las librerías, una vulnerabilidad diferente a CVE-2014-0455 y CVE-2014-2402. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the usage of permuteArguments. With the usage of this method, it is possible to disable the security manager and run code as privileged. • http://marc.info/?l=bugtraq&m=140852886808946&w=2 http://security.gentoo.org/glsa/glsa-201502-12.xml http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html http://www.securityfocus.com/bid/66897 https://access.redhat.com/errata/RHSA-2014:0413 https://access.redhat.com/security/cve/CVE-2014-0432 https://bugzilla.redhat.com/show_bug.cgi?id=1088023 •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2014-0512 – Adobe Reader Sandbox Bypass Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-0512
Adobe Reader 11.0.06 allows attackers to bypass a PDF sandbox protection mechanism via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. Adobe Reader 11.0.06 permite a atacantes evadir un mecanismo de protección sandbox a través de vectores no especificados, como fue demostrado por VUPEN durante una competición Pwn2Own en CanSecWest 2014. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file writes. The issue lies in the failure to properly validate user-supplied paths. • http://helpx.adobe.com/security/products/reader/apsb14-15.html http://twitter.com/thezdi/statuses/443827076580122624 http://www.pwn2own.com/2014/03/pwn2own-results-for-wednesday-day-one • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2014-1714 – Google Chrome Clipboard Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2014-1714
The ScopedClipboardWriter::WritePickledData function in ui/base/clipboard/scoped_clipboard_writer.cc in Google Chrome before 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows does not verify a certain format value, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the clipboard. La función ScopedClipboardWriter::WritePickledData en ui/base/clipboard/scoped_clipboard_writer.cc en Google Chrome anterior a 33.0.1750.152 en OS X y Linux y anterior a 33.0.1750.154 en Windows no verifica cierto valor de formato, lo que permite a atacantes remotos causar una denegación de servicio o posiblemente tener otro impacto no especificado a través de vectores relacionados con el portapapeles. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the Microsoft Windows Clipboard. An attacker can leverage this vulnerability to execute code under the context of the broker process. • http://archives.neohapsis.com/archives/bugtraq/2014-03/0143.html http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_14.html http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00008.html http://security.gentoo.org/glsa/glsa-201408-16.xml https://code.google.com/p/chromium/issues/detail?id=352395 https://src.chromium.org/viewvc/chrome?revision=256974&view=revision • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2014-1715 – Google Chrome Directory Traversal Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2014-1715
Directory traversal vulnerability in Google Chrome before 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows has unspecified impact and attack vectors. Vulnerabilidad de salto de directorio en Google Chrome anterior a 33.0.1750.152 en OS X y Linux y anterior a 33.0.1750.154 en Windows tiene vectores de impacto y ataque no especificados. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of directories. The issue lies in the failure to fully check for directory traversal attempts. • http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_14.html http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00008.html http://security.gentoo.org/glsa/glsa-201408-16.xml http://www.debian.org/security/2014/dsa-2883 http://www.securityfocus.com/bid/66249 https://code.google.com/p/chromium/issues/detail?id=352429 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •