U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Bulletin (SB14-272)

Vulnerability Summary for the Week of September 22, 2014

Original release date: September 29, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
canonical -- acpi-supportThe Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."2014-09-227.2CVE-2014-0484
DEBIAN
SECUNIA
cisco -- iosCisco IOS 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, and 15.3 and IOS XE 2.x and 3.x before 3.7.4S; 3.2.xSE and 3.3.xSE before 3.3.2SE; 3.3.xSG and 3.4.xSG before 3.4.4SG; and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allow remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCui11547.2014-09-257.8CVE-2014-3354
CONFIRM
cisco -- ios_xeThe metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCug75942.2014-09-257.8CVE-2014-3355
CONFIRM
cisco -- ios_xeThe metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCue22753.2014-09-257.8CVE-2014-3356
CONFIRM
cisco -- iosCisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allow remote attackers to cause a denial of service (device reload) via malformed mDNS packets, aka Bug ID CSCul90866.2014-09-257.8CVE-2014-3357
CONFIRM
cisco -- iosMemory leak in Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allows remote attackers to cause a denial of service (memory consumption, and interface queue wedge or device reload) via malformed mDNS packets, aka Bug ID CSCuj58950.2014-09-257.8CVE-2014-3358
CONFIRM
cisco -- iosMemory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed DHCPv6 packets, aka Bug ID CSCum90081.2014-09-257.8CVE-2014-3359
CONFIRM
cisco -- iosCisco IOS 12.4 and 15.0 through 15.4 and IOS XE 3.1.xS, 3.2.xS, 3.3.xS, 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allow remote attackers to cause a denial of service (device reload) via a crafted SIP message, aka Bug ID CSCul46586.2014-09-257.8CVE-2014-3360
CONFIRM
cisco -- iosThe ALG module in Cisco IOS 15.0 through 15.4 does not properly implement SIP over NAT, which allows remote attackers to cause a denial of service (device reload) via multipart SDP IPv4 traffic, aka Bug ID CSCun54071.2014-09-257.1CVE-2014-3361
CONFIRM
cobham -- aviator_700dCobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.2014-09-227.2CVE-2014-2942
gnu -- bashGNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.2014-09-2410.0CVE-2014-6271
CERT
CERT-VN
CONFIRM
UBUNTU
DEBIAN
CISCO
REDHAT
REDHAT
REDHAT
MISC
gnu -- bashGNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.2014-09-2410.0CVE-2014-7169
CERT
CERT-VN
UBUNTU
UBUNTU
MLIST
DEBIAN
MISC
CISCO
REDHAT
MISC
google -- chromeMozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.2014-09-257.5CVE-2014-1568
CONFIRM
CONFIRM
CONFIRM
ibm -- bladecenter_1/10gIBM System Networking G8052, G8124, G8124-E, G8124-ER, G8264, G8316, and G8264-T switches before 7.9.10.0; EN4093, EN4093R, CN4093, SI4093, EN2092, and G8264CS switches before 7.8.6.0; Flex System Interconnect Fabric before 7.8.6.0; 1G L2-7 SLB switch for Bladecenter before 21.0.21.0; 10G VFSM for Bladecenter before 7.8.14.0; 1:10G switch for Bladecenter before 7.4.8.0; 1G switch for Bladecenter before 5.3.5.0; Server Connectivity Module before 1.1.3.4; System Networking RackSwitch G8332 before 7.7.17.0; and System Networking RackSwitch G8000 before 7.1.7.0 have hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.2014-09-2310.0CVE-2014-4752
infusionsoft_gravity_forms_project -- infusionsoft_gravity_formsThe Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.2014-09-267.5CVE-2014-6446
MISC
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
163 -- netease_movieThe netease movie (aka com.netease.movie) application 4.7.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6661
MISC
30a -- 30aThe 30A (aka com.app30a) application 5.26.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-265.4CVE-2014-6726
MISC
addisgag -- addis_gag_funny_amharic_picThe Addis Gag Funny Amharic Pic (aka com.wAmharicFunnyPicture) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6663
MISC
adobe -- acrobatCross-site scripting (XSS) vulnerability in the Help page in Adobe Acrobat 9.5.2 and earlier and ColdFusion 8.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-09-264.3CVE-2014-5315
JVNDB
CONFIRM
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.2014-09-206.8CVE-2014-0985
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.2014-09-206.8CVE-2014-0986
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.2014-09-206.8CVE-2014-0987
MISC
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.2014-09-206.8CVE-2014-0988
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.2014-09-206.8CVE-2014-0989
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter.2014-09-206.8CVE-2014-0990
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter.2014-09-206.8CVE-2014-0991
advantech -- advantech_webaccessStack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter.2014-09-206.8CVE-2014-0992
alhazai -- leadership_newspapersThe Leadership Newspapers (aka com.LeadershipNewspapers) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6657
MISC
alibaba -- alibabaThe alibaba (aka com.alibaba.wireless) application 4.1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5976
MISC
anusthanokarehasya -- baglamukhiThe Baglamukhi (aka com.wshribaglamukhiblog) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6666
MISC
apploi -- apploi_job_search-_find_jobsThe Apploi Job Search- Find Jobs (aka com.apploi) application 4.19 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6658
MISC
autotrader.co.za -- auto_traderThe Auto Trader (aka za.co.autotrader.android.app) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5997
MISC
awesomewidgets -- rasta_weed_widgets_hdThe Rasta Weed Widgets HD (aka aw.awesomewidgets.rastaweed) application 4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6010
MISC
babybus -- babybusThe BabyBus (aka com.sinyee.babybus.concert.ru) application 3.91 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5970
MISC
babydays -- baby_daysThe baby days (aka jp.co.cyberagent.babydays) application 1.5.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5989
MISC
babygekko -- baby_gekkoMultiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some of these details are obtained from third party information.2014-09-224.3CVE-2012-5700
MISC
XF
BID
EXPLOIT-DB
SECUNIA
batch -- batch_libraryThe Batch library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6645
MISC
belasfrasesdeamor -- belas_frases_de_amorThe Belas Frases de Amor (aka com.goodbarber.frasesdeamor) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6003
MISC
bellyhoodcom_project -- bellyhoodcomThe bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6646
MISC
blogkamek -- koleksi_hadis_nabi_sawThe Koleksi Hadis Nabi SAW (aka com.wKoleksiHadisNabiSAW) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6660
MISC
bookjam -- cookbibleThe cookbible (aka net.bookjam.cookbible) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5990
MISC
bump_project -- bumpThe Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.2014-09-215.0CVE-2014-5320
JVNDB
celluloidapp -- celluloidThe Celluloid (aka com.eurisko.celluloid) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6016
MISC
chatbox -- chatbox_-_chat_roomsThe ChatBox - Chat Rooms (aka com.droidchatroom.messengerapp) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5958
MISC
cisco -- cisco_nexus_1000v_intercloudCross-site scripting (XSS) vulnerability in the vCloud Director component in Cisco Nexus 1000V InterCloud for VMware allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq90524.2014-09-204.3CVE-2014-3367
cisco -- ios_xrCisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031.2014-09-205.0CVE-2014-3376
cisco -- ios_xrsnmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791.2014-09-204.0CVE-2014-3377
cisco -- ios_xrtacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468.2014-09-205.0CVE-2014-3378
cisco -- network_convergence_system_6000Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466.2014-09-206.1CVE-2014-3379
cisco -- unified_communications_domain_manager_platformCisco Unified Communications Domain Manager Platform Software 4.4(.3) and earlier allows remote attackers to cause a denial of service (CPU consumption) by sending crafted TCP packets quickly, aka Bug ID CSCuo42063.2014-09-235.0CVE-2014-3380
clearfishing -- pesca_de_carpa_liteThe Pesca de Carpa Lite (aka com.clearfishing.pescadecarpa.lite) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-265.4CVE-2014-6720
MISC
corntree -- halieuticsThe Halieutics (aka com.corn.Halieutics) application 21.40.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5963
MISC
d-bus_project -- d-busOff-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.2014-09-226.8CVE-2014-3635
MLIST
DEBIAN
SECUNIA
decoracionesnailart -- designs_nail_artsThe Designs Nail Arts (aka com.decoracionesnailart.flickr) application 3.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5967
MISC
defence -- defence.pkThe Defence.pk (aka com.tapatalk.defencepkforums) application 2.4.13.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6659
MISC
ding -- ding_ezetop._top-up_any_phoneThe ding* ezetop. Top-up Any Phone (aka com.ezetop.world) application 1.3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5994
MISC
dnb -- dnb_tradeThe DNB Trade (aka lt.dnb.mobiletrade) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6640
MISC
dotclear -- dotclearCross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.2014-09-214.3CVE-2014-5316
JVNDB
drar-eym -- drareymThe drareym (aka com.drareym) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6656
MISC
dteenergy -- dte_energyThe DTE Energy (aka com.dteenergy.mydte) application 3.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6002
MISC
ericpol -- ewus_mobileThe eWUS mobile (aka pl.dreryk.ewustest) application 1.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5995
MISC
eset -- endpoint_securityThe ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.2014-09-236.9CVE-2014-4973
MISC
FULLDISC
exoticpetnetwork -- tortoise_forumThe Tortoise Forum (aka org.tortoiseforum.android.forumrunner) application 3.5.16 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6655
MISC
fiatforum -- fiat_forumThe FIAT Forum (aka com.tapatalk.fiatforumcom) application 3.8.41 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6643
MISC
fiksu -- fiksu_libraryThe Fiksu library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5971
MISC
filemaker -- filemaker_proFileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319.2014-09-215.8CVE-2014-5321
JVNDB
filemaker -- filemaker_proCross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.2014-09-214.3CVE-2014-5322
JVNDB
formnage -- cutpriceThe cutprice (aka kr.co.wedoit.cutprice) application 1.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6011
MISC
freshdirect -- freshdirectThe FreshDirect (aka com.freshdirect.android) application 2.7.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6000
MISC
friendcasterapp -- friendcasterThe Friendcaster (aka uk.co.senab.blueNotifyFree) application 5.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6672
MISC
fuelrewards -- fuel_rewards_networkThe Fuel Rewards Network (aka com.excentus.frn) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6020
MISC
gamelikeapps -- guess_the_actorThe Guess The Actor (aka com.gamelikeinc.actors) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5962
MISC
gcspublishing -- homesteading_todayThe Homesteading Today (aka com.tapatalk.homesteadingtodaycom) application 3.7.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6641
MISC
gebrauchtwagenreport -- dekra_used_car_reportThe DEKRA Used Car Report (aka com.dekra.maengelreport) application 3.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5996
MISC
genertel -- genertelThe Genertel (aka com.genertel) application 2.6.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5980
MISC
geniuscloud -- smart_browserThe Smart Browser (aka smartbrowser.geniuscloud) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5809
MISC
getjar -- azkend_goldThe Azkend Gold (aka com.the10tons.azkend.gold) application 1.2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5988
MISC
gewara -- gewaraThe gewara (aka com.gewara) application 5.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6001
MISC
global_beauty_research_project -- global_beauty_researchThe global beauty research (aka com.appems.topgirl) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6018
MISC
golauncher -- dreamland_super_theme_go_goldThe Dreamland Super Theme GO Gold (aka com.gau.go.launcherex.viptheme.dreamland.gold) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5966
MISC
grabapp -- eponymsThe eponyms (aka com.anddeveloper.eponyms) application 3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5975
MISC
gratta_&_vinci?_project -- gratta_&_vinci?The Gratta & Vinci? (aka com.dreamstep.wGrattaevinci) application 0.21.13167.93474 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6006
MISC
groovemusic_project -- groovemusicThe GrooveMusic (aka com.mobincube.android.sc_2HKFF) application 2.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5965
MISC
h-dvisa -- harley-davidson_visaThe Harley-Davidson Visa (aka com.usbank.icsmobile.harleydavidson) application 1.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6021
MISC
hdcar -- russiananimeThe russiananime (aka com.rareartifact.russiananime68A5CCFE) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5961
MISC
hdcar -- exercitii_pentru_abdomenThe Exercitii pentru abdomen (aka com.rareartifact.exercitiipentruabdomen41E29322) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6676
MISC
healthylifestyle_project -- healthylifestyleThe healthylifestyle (aka com.alek.healthylifestyle) application 1.2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5969
MISC
huge-it -- image_gallerySQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.2014-09-226.5CVE-2014-7153
MISC
ibm -- rational_clearcaseIBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.2014-09-235.0CVE-2014-3090
XF
ibm -- rational_clearcaseThe login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.2014-09-235.0CVE-2014-3101
XF
ibm -- rational_clearcaseThe Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.2014-09-235.0CVE-2014-3103
XF
ibm -- rational_clearcaseIBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.2014-09-235.0CVE-2014-3104
XF
ibm -- rational_clearcaseThe OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names via a series of requests.2014-09-235.0CVE-2014-3105
XF
ibm -- rational_clearcaseIBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not properly implement the Local Access Only protection mechanism, which allows remote attackers to bypass authentication and read files via the Help Server Administration feature.2014-09-235.0CVE-2014-3106
XF
ibm -- websphere_application_serverCross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-09-236.0CVE-2014-4816
XF
igolf -- igolf_-_golf_gpsThe iGolf - Golf GPS (aka com.igolf) application 20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5968
MISC
ingen-studios -- conquest_of_fantasiaThe Conquest Of Fantasia (aka air.com.ingen.studios.cof.sg) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6014
MISC
iphone4 -- iphone4.twThe iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6648
MISC
ipposan -- memetanThe memetan (aka memetan.android.com.activity) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5978
MISC
jig -- jigbrowser+The jigbrowser+ application 1.8.1 and earlier for iOS allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.2014-09-265.8CVE-2014-5318
CONFIRM
JVNDB
JVN
kbv -- federal_doctorsThe BundesArztsuche (aka de.kbv.bas) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5960
MISC
krstarica -- forum_krstariceThe Forum Krstarice (aka com.tapatalk.forumkrstaricacom) application 3.5.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6662
MISC
lazyer -- doodle_dropThe Doodle Drop (aka net.lazyer.DoodleDrop) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6017
MISC
letshare -- world_cup_2014_brazil_-_xem_tvThe World Cup 2014 Brazil - Xem TV (aka vn.letshare.football.worldcup) application 2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6671
MISC
likeheroapp -- likehero_get_instagram_likesThe LikeHero Get Instagram Likes (aka com.fraoula.likehero) application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6007
MISC
loving.fm -- loving_-_couple_essentiaThe Loving - Couple Essential (aka com.xiaoenai.app) application 4.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5972
MISC
marksdailyapple -- mark's_daily_apple_forumThe Mark's Daily Apple Forum (aka com.tapatalk.marksdailyapplecomforum) application 2.4.9.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6642
MISC
megabank -- megabankThe MegaBank (aka com.megabank.mobilebank) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5964
MISC
microsoft -- nokia_asha_501_softwareMicrosoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.2014-09-216.6CVE-2014-6602
MISC
mobile_face_project -- mobile_faceThe Mobile Face (aka com.wFacemobile) application 0.74.13432.91159 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5977
MISC
mol -- mol_bringapontThe MOL bringaPONT (aka hu.mol.bringapont) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6684
MISC
moweather -- moweatherThe MoWeather (aka com.moji.moweather) application 1.40.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5981
MISC
mr384_project -- mzone_loginThe Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5665
MISC
mybroadband -- mybroadband_tapatalkThe MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6649
MISC
mytx -- tx_smartThe tx Smart (aka com.wooriwm.txsmart) application 7.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-195.4CVE-2014-5959
MISC
najeebmedia -- n-media_file_uploaderUnrestricted file upload vulnerability in the N-Media file uploader plugin before 3.4 for WordPress allows remote authenticated users to execute arbitrary PHP code by leveraging Author privileges to store a file.2014-09-266.5CVE-2014-5324
JVNDB
JVN
nana_project -- african_radios_liveThe African Radios Live (aka com.nana.africanradioslive) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6668
MISC
netjapan -- tsushima_travel_guideThe Tsushima Travel Guide (aka com.netjapan.ntsushima) application 1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6685
MISC
nextgenupdate -- nextgenupdateThe NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6650
MISC
nuphoto -- nusquareThe nuSquare (aka tw.com.nuphoto.nusquare) application 1.0.78 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6013
MISC
openelectrical -- open_electrical_webserThe Open Electrical Webser (aka com.wOpenElectricalWeb) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6683
MISC
planetofthevapes -- planet_of_the_vapes_forumThe Planet of the Vapes Forum (aka com.tapatalk.planetofthevapescoukforums) application 3.7.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6651
MISC
playcomo -- little_dragonsThe Little Dragons (aka com.playcomo.dragongame) application 1.0.256 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5984
MISC
pocket_cam_photo_editor_project -- pocket_cam_photo_editorThe Pocket Cam Photo Editor (aka mobi.pocketcam.editor) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6004
MISC
pocketmags -- inside_crochetThe Inside Crochet (aka com.magazinecloner.insidecrochet) application @7F08017A for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6669
MISC
praninc -- facebook_factsThe Facebook Facts (aka com.wFacebookFacts) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6637
MISC
preplaysports -- mlb_preplayThe MLB Preplay (aka com.preplay.android.mlb) application 5.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5993
MISC
psecu -- psecu_mobile+The PSECU Mobile+ (aka com.Vertifi.Mobile.P231381116) application 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5974
MISC
psychology_project -- psychologyThe psychology (aka com.alek.psychology) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6019
MISC
puzzles_and_matchup_games_project -- educational_puzzles_-_lettersThe Educational Puzzles - Letters (aka com.EducationalPuzzlesLetters) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5986
MISC
quranedu -- ahmed_bukhatir_nasheeds_tvThe Ahmed Bukhatir Nasheeds TV (aka com.wAhmedBukhatirApp) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6665
MISC
redhat -- network_satelliteCross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.2014-09-224.3CVE-2014-3595
SECUNIA
rsupport -- lg_telepresenceThe LG Telepresence (aka com.rsupport.rtc.lge) application 2.0.12 Build 63 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6636
MISC
runkeeper -- runkeeper_-_gps_track_run_walkThe RunKeeper - GPS Track Run Walk (aka com.fitnesskeeper.runkeeper.pro) application 4.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5982
MISC
rutaexacta -- ruta_exactaThe Ruta Exacta (aka com.rutaexacta.m) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6675
MISC
s-peek -- s-peek_credit_rating_reportThe s-peek credit rating report (aka com.rhomobile.speek) application 2.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6023
MISC
santiagosarceda -- elforro.comThe ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6647
MISC
secondfiction -- blitz_bingoThe Blitz Bingo (aka com.appMobi.sbbingo.app) application 2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6008
MISC
singaporemotherhood -- singaporemotherhood_forumThe SingaporeMotherhood Forum (aka com.tapatalk.singaporemotherhoodcomforum) application 3.6.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6670
MISC
skin_conditions_and_diseases_project -- skin_conditions_and_diseasesThe Skin Conditions and Diseases (aka com.appsgeyser.wSkinConditions) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5991
MISC
skydrive_assistant_project -- skydrive_assistantThe SkyDrive Assistant (aka com.dhh.sky) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5998
MISC
socialknowledge -- aquarium_adviceThe Aquarium Advice (aka com.socialknowledge.aquariumadvice) application 3.7.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5973
MISC
sos -- jobschedulerXML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.2014-09-235.8CVE-2014-5392
CONFIRM
successsecrets -- successsecrets_projectThe successsecrets (aka com.alek.successsecrets) application 1.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5992
MISC
survey.com -- survey.com_mobileThe Survey.com Mobile (aka com.survey.android) application 3.2.16 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6005
MISC
telenavsoftware -- autonaviThe autonavi (aka com.telenav.doudouyou.android.autonavi) application 4.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5999
MISC
threadflip -- threadflip_:_buy,_sell_fashionThe Threadflip : Buy, Sell Fashion (aka com.threadflip.android) application 1.1.11 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-5983
MISC
three -- my3The My3 - by 3HK (aka com.my3) application @7F0A0001 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5987
CERT-VN
MISC
ticketroundup -- ticket_round_upThe Ticket Round Up (aka com.xcr.android.ticketroundupapp) application 3.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6677
MISC
tiomobilepay -- tio_mobilepay_-_bill_paymentsThe TIO MobilePay - Bill Payments (aka com.tionetworks.mobile.android.tioclient) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6639
MISC
toddm -- gravity_bounceThe Gravity Bounce (aka net.toddm.gb) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6012
MISC
topappsbuilder_project -- animal_kaiser_zangetsuThe Animal Kaiser Zangetsu (aka com.wAnimalKaiserZangetsu) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5985
MISC
tucarro -- tucarroThe TuCarro (aka com.tucarro) application 2.0.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6015
MISC
tvbengali -- tv_bengali_open_directoryThe TV Bengali Open Directory (aka com.TVBengali) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-205.4CVE-2014-5979
MISC
versentbooks -- versent_booksThe Versent Books (aka com.versentbooks) application 1.1.99 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6022
MISC
wireshark -- wiresharkUse-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors.2014-09-205.0CVE-2014-6421
CONFIRM
CONFIRM
wireshark -- wiresharkThe SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector.2014-09-205.0CVE-2014-6422
CONFIRM
CONFIRM
wireshark -- wiresharkThe tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line.2014-09-205.0CVE-2014-6423
CONFIRM
CONFIRM
wireshark -- wiresharkThe dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet.2014-09-205.0CVE-2014-6424
CONFIRM
CONFIRM
wireshark -- wiresharkThe (1) get_quoted_string and (2) get_unquoted_string functions in epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark 1.12.x before 1.12.1 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a CUPS packet that lacks a trailing '\0' character.2014-09-205.0CVE-2014-6425
CONFIRM
CONFIRM
wireshark -- wiresharkThe dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HIP dissector in Wireshark 1.12.x before 1.12.1 does not properly handle a NULL tree, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.2014-09-205.0CVE-2014-6426
CONFIRM
wireshark -- wiresharkOff-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position.2014-09-205.0CVE-2014-6427
CONFIRM
CONFIRM
wireshark -- wiresharkThe dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2014-09-205.0CVE-2014-6428
CONFIRM
CONFIRM
wireshark -- wiresharkThe SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6429
CONFIRM
CONFIRM
wireshark -- wiresharkThe SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6430
CONFIRM
CONFIRM
wireshark -- wiresharkBuffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer.2014-09-205.0CVE-2014-6431
CONFIRM
CONFIRM
wireshark -- wiresharkThe SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file.2014-09-205.0CVE-2014-6432
CONFIRM
CONFIRM
wizaz -- wizaz_forumThe Wizaz Forum (aka com.tapatalk.wizazplforum) application 3.6.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6652
MISC
wordbox -- algeria_radioThe Algeria Radio (aka com.wordbox.algeriaRadio) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6678
MISC
wordbox -- mahabharata_audiocastThe Mahabharata Audiocast (aka com.wordbox.mahabharataAudiocast) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6681
MISC
wordboxapps -- afghan_radioThe Afghan Radio (aka com.wordbox.afghanRadio) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6653
MISC
wtmdesktop_project -- wtmdesktopThe wTMDesktop (aka com.wTMDesktop) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6638
MISC
wtrootrootvizle_project -- wtrootrootvizleThe wTrootrooTvIzle (aka com.wTrootrooTvIzle) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-235.4CVE-2014-6654
MISC
zombie_detector_project -- zombie_detectorThe Zombie Detector (aka com.jimmybolstad.zombiedetector) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2014-09-225.4CVE-2014-6009
MISC
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
d-bus_project -- d-busD-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.2014-09-222.1CVE-2014-3637
MLIST
DEBIAN
SECUNIA
d-bus_project -- d-busThe bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.2014-09-222.1CVE-2014-3638
MLIST
DEBIAN
SECUNIA
d-bus_project -- d-busThe dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.2014-09-222.1CVE-2014-3639
MLIST
DEBIAN
SECUNIA
ibm -- websphere_application_serverCross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated administrators to inject arbitrary web script or HTML via a crafted URL.2014-09-233.5CVE-2014-4770
XF
ibm -- curam_social_program_managementCross-site scripting (XSS) vulnerability in IBM Curam Social Program Management (SPM) 6.0.4 before 6.0.4.5 iFix7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2014-09-233.5CVE-2014-6091
Back to top

 

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top