SB14-272: Vulnerability Summary for the Week of September 22, 2014

"US-CERT" <US-CERT@xxxxxxxxxxxxxxxx> · Mon, 29 Sep 2014 06:17:12 -0500

Title:     SB14-272: Vulnerability Summary for the Week of September 22, 2014

  National Cyber Awareness System:

SB14-272: Vulnerability Summary for the Week of September 22, 2014
09/29/2014 06:42 AM EDT

Original release date: September 29, 2014 

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info

canonical -- acpi-support
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."
2014-09-22
7.2
CVE-2014-0484
DEBIAN
SECUNIA

cisco -- ios
Cisco IOS 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, and 15.3 and IOS XE 2.x and 3.x before 3.7.4S; 3.2.xSE and 3.3.xSE before 3.3.2SE; 3.3.xSG and 3.4.xSG before 3.4.4SG; and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allow remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCui11547.
2014-09-25
7.8
CVE-2014-3354
CONFIRM

cisco -- ios_xe
The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCug75942.
2014-09-25
7.8
CVE-2014-3355
CONFIRM

cisco -- ios_xe
The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCue22753.
2014-09-25
7.8
CVE-2014-3356
CONFIRM

cisco -- ios
Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allow remote attackers to cause a denial of service (device reload) via malformed mDNS packets, aka Bug ID CSCul90866.
2014-09-25
7.8
CVE-2014-3357
CONFIRM

cisco -- ios
Memory leak in Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allows remote attackers to cause a denial of service (memory consumption, and interface queue wedge or device reload) via malformed mDNS packets, aka Bug ID CSCuj58950.
2014-09-25
7.8
CVE-2014-3358
CONFIRM

cisco -- ios
Memory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed DHCPv6 packets, aka Bug ID CSCum90081.
2014-09-25
7.8
CVE-2014-3359
CONFIRM

cisco -- ios
Cisco IOS 12.4 and 15.0 through 15.4 and IOS XE 3.1.xS, 3.2.xS, 3.3.xS, 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allow remote attackers to cause a denial of service (device reload) via a crafted SIP message, aka Bug ID CSCul46586.
2014-09-25
7.8
CVE-2014-3360
CONFIRM

cisco -- ios
The ALG module in Cisco IOS 15.0 through 15.4 does not properly implement SIP over NAT, which allows remote attackers to cause a denial of service (device reload) via multipart SDP IPv4 traffic, aka Bug ID CSCun54071.
2014-09-25
7.1
CVE-2014-3361
CONFIRM

cobham -- aviator_700d
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.
2014-09-22
7.2
CVE-2014-2942

gnu -- bash
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
2014-09-24
10.0
CVE-2014-6271
CERT
CERT-VN
CONFIRM
UBUNTU
DEBIAN
CISCO
REDHAT
REDHAT
REDHAT
MISC

gnu -- bash
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
2014-09-24
10.0
CVE-2014-7169
CERT
CERT-VN
UBUNTU
UBUNTU
MLIST
DEBIAN
MISC
CISCO
REDHAT
MISC

google -- chrome
Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.
2014-09-25
7.5
CVE-2014-1568
CONFIRM
CONFIRM
CONFIRM

ibm -- bladecenter_1/10g
IBM System Networking G8052, G8124, G8124-E, G8124-ER, G8264, G8316, and G8264-T switches before 7.9.10.0; EN4093, EN4093R, CN4093, SI4093, EN2092, and G8264CS switches before 7.8.6.0; Flex System Interconnect Fabric before 7.8.6.0; 1G L2-7 SLB switch for Bladecenter before 21.0.21.0; 10G VFSM for Bladecenter before 7.8.14.0; 1:10G switch for Bladecenter before 7.4.8.0; 1G switch for Bladecenter before 5.3.5.0; Server Connectivity Module before 1.1.3.4; System Networking RackSwitch G8332 before 7.7.17.0; and System Networking RackSwitch G8000 before 7.1.7.0 have hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
2014-09-23
10.0
CVE-2014-4752

infusionsoft_gravity_forms_project -- infusionsoft_gravity_forms
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.
2014-09-26
7.5
CVE-2014-6446
MISC

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info

163 -- netease_movie
The netease movie (aka com.netease.movie) application 4.7.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6661
MISC

30a -- 30a
The 30A (aka com.app30a) application 5.26.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-26
5.4
CVE-2014-6726
MISC

addisgag -- addis_gag_funny_amharic_pic
The Addis Gag Funny Amharic Pic (aka com.wAmharicFunnyPicture) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6663
MISC

adobe -- acrobat
Cross-site scripting (XSS) vulnerability in the Help page in Adobe Acrobat 9.5.2 and earlier and ColdFusion 8.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2014-09-26
4.3
CVE-2014-5315
JVNDB
CONFIRM

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.
2014-09-20
6.8
CVE-2014-0985

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.
2014-09-20
6.8
CVE-2014-0986

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.
2014-09-20
6.8
CVE-2014-0987
MISC

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.
2014-09-20
6.8
CVE-2014-0988

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.
2014-09-20
6.8
CVE-2014-0989

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter.
2014-09-20
6.8
CVE-2014-0990

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter.
2014-09-20
6.8
CVE-2014-0991

advantech -- advantech_webaccess
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter.
2014-09-20
6.8
CVE-2014-0992

alhazai -- leadership_newspapers
The Leadership Newspapers (aka com.LeadershipNewspapers) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6657
MISC

alibaba -- alibaba
The alibaba (aka com.alibaba.wireless) application 4.1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5976
MISC

anusthanokarehasya -- baglamukhi
The Baglamukhi (aka com.wshribaglamukhiblog) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6666
MISC

apploi -- apploi_job_search-_find_jobs
The Apploi Job Search- Find Jobs (aka com.apploi) application 4.19 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6658
MISC

autotrader.co.za -- auto_trader
The Auto Trader (aka za.co.autotrader.android.app) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5997
MISC

awesomewidgets -- rasta_weed_widgets_hd
The Rasta Weed Widgets HD (aka aw.awesomewidgets.rastaweed) application 4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6010
MISC

babybus -- babybus
The BabyBus (aka com.sinyee.babybus.concert.ru) application 3.91 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5970
MISC

babydays -- baby_days
The baby days (aka jp.co.cyberagent.babydays) application 1.5.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5989
MISC

babygekko -- baby_gekko
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some of these details are obtained from third party information.
2014-09-22
4.3
CVE-2012-5700
MISC
XF
BID
EXPLOIT-DB
SECUNIA

batch -- batch_library
The Batch library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6645
MISC

belasfrasesdeamor -- belas_frases_de_amor
The Belas Frases de Amor (aka com.goodbarber.frasesdeamor) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6003
MISC

bellyhoodcom_project -- bellyhoodcom
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6646
MISC

blogkamek -- koleksi_hadis_nabi_saw
The Koleksi Hadis Nabi SAW (aka com.wKoleksiHadisNabiSAW) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6660
MISC

bookjam -- cookbible
The cookbible (aka net.bookjam.cookbible) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5990
MISC

bump_project -- bump
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.
2014-09-21
5.0
CVE-2014-5320
JVNDB

celluloidapp -- celluloid
The Celluloid (aka com.eurisko.celluloid) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6016
MISC

chatbox -- chatbox_-_chat_rooms
The ChatBox - Chat Rooms (aka com.droidchatroom.messengerapp) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5958
MISC

cisco -- cisco_nexus_1000v_intercloud
Cross-site scripting (XSS) vulnerability in the vCloud Director component in Cisco Nexus 1000V InterCloud for VMware allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq90524.
2014-09-20
4.3
CVE-2014-3367

cisco -- ios_xr
Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031.
2014-09-20
5.0
CVE-2014-3376

cisco -- ios_xr
snmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791.
2014-09-20
4.0
CVE-2014-3377

cisco -- ios_xr
tacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468.
2014-09-20
5.0
CVE-2014-3378

cisco -- network_convergence_system_6000
Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466.
2014-09-20
6.1
CVE-2014-3379

cisco -- unified_communications_domain_manager_platform
Cisco Unified Communications Domain Manager Platform Software 4.4(.3) and earlier allows remote attackers to cause a denial of service (CPU consumption) by sending crafted TCP packets quickly, aka Bug ID CSCuo42063.
2014-09-23
5.0
CVE-2014-3380

clearfishing -- pesca_de_carpa_lite
The Pesca de Carpa Lite (aka com.clearfishing.pescadecarpa.lite) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-26
5.4
CVE-2014-6720
MISC

corntree -- halieutics
The Halieutics (aka com.corn.Halieutics) application 21.40.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5963
MISC

d-bus_project -- d-bus
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.
2014-09-22
6.8
CVE-2014-3635
MLIST
DEBIAN
SECUNIA

decoracionesnailart -- designs_nail_arts
The Designs Nail Arts (aka com.decoracionesnailart.flickr) application 3.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5967
MISC

defence -- defence.pk
The Defence.pk (aka com.tapatalk.defencepkforums) application 2.4.13.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6659
MISC

ding -- ding_ezetop._top-up_any_phone
The ding* ezetop. Top-up Any Phone (aka com.ezetop.world) application 1.3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5994
MISC

dnb -- dnb_trade
The DNB Trade (aka lt.dnb.mobiletrade) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6640
MISC

dotclear -- dotclear
Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.
2014-09-21
4.3
CVE-2014-5316
JVNDB

drar-eym -- drareym
The drareym (aka com.drareym) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6656
MISC

dteenergy -- dte_energy
The DTE Energy (aka com.dteenergy.mydte) application 3.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6002
MISC

ericpol -- ewus_mobile
The eWUS mobile (aka pl.dreryk.ewustest) application 1.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5995
MISC

eset -- endpoint_security
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.
2014-09-23
6.9
CVE-2014-4973
MISC
FULLDISC

exoticpetnetwork -- tortoise_forum
The Tortoise Forum (aka org.tortoiseforum.android.forumrunner) application 3.5.16 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6655
MISC

fiatforum -- fiat_forum
The FIAT Forum (aka com.tapatalk.fiatforumcom) application 3.8.41 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6643
MISC

fiksu -- fiksu_library
The Fiksu library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5971
MISC

filemaker -- filemaker_pro
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319.
2014-09-21
5.8
CVE-2014-5321
JVNDB

filemaker -- filemaker_pro
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.
2014-09-21
4.3
CVE-2014-5322
JVNDB

formnage -- cutprice
The cutprice (aka kr.co.wedoit.cutprice) application 1.0.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6011
MISC

freshdirect -- freshdirect
The FreshDirect (aka com.freshdirect.android) application 2.7.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6000
MISC

friendcasterapp -- friendcaster
The Friendcaster (aka uk.co.senab.blueNotifyFree) application 5.4.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6672
MISC

fuelrewards -- fuel_rewards_network
The Fuel Rewards Network (aka com.excentus.frn) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6020
MISC

gamelikeapps -- guess_the_actor
The Guess The Actor (aka com.gamelikeinc.actors) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5962
MISC

gcspublishing -- homesteading_today
The Homesteading Today (aka com.tapatalk.homesteadingtodaycom) application 3.7.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6641
MISC

gebrauchtwagenreport -- dekra_used_car_report
The DEKRA Used Car Report (aka com.dekra.maengelreport) application 3.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5996
MISC

genertel -- genertel
The Genertel (aka com.genertel) application 2.6.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5980
MISC

geniuscloud -- smart_browser
The Smart Browser (aka smartbrowser.geniuscloud) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5809
MISC

getjar -- azkend_gold
The Azkend Gold (aka com.the10tons.azkend.gold) application 1.2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5988
MISC

gewara -- gewara
The gewara (aka com.gewara) application 5.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6001
MISC

global_beauty_research_project -- global_beauty_research
The global beauty research (aka com.appems.topgirl) application 1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6018
MISC

golauncher -- dreamland_super_theme_go_gold
The Dreamland Super Theme GO Gold (aka com.gau.go.launcherex.viptheme.dreamland.gold) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5966
MISC

grabapp -- eponyms
The eponyms (aka com.anddeveloper.eponyms) application 3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5975
MISC

gratta_&_vinci?_project -- gratta_&_vinci?
The Gratta & Vinci? (aka com.dreamstep.wGrattaevinci) application 0.21.13167.93474 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6006
MISC

groovemusic_project -- groovemusic
The GrooveMusic (aka com.mobincube.android.sc_2HKFF) application 2.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5965
MISC

h-dvisa -- harley-davidson_visa
The Harley-Davidson Visa (aka com.usbank.icsmobile.harleydavidson) application 1.18 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6021
MISC

hdcar -- russiananime
The russiananime (aka com.rareartifact.russiananime68A5CCFE) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5961
MISC

hdcar -- exercitii_pentru_abdomen
The Exercitii pentru abdomen (aka com.rareartifact.exercitiipentruabdomen41E29322) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6676
MISC

healthylifestyle_project -- healthylifestyle
The healthylifestyle (aka com.alek.healthylifestyle) application 1.2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5969
MISC

huge-it -- image_gallery
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.
2014-09-22
6.5
CVE-2014-7153
MISC

ibm -- rational_clearcase
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
2014-09-23
5.0
CVE-2014-3090
XF

ibm -- rational_clearcase
The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.
2014-09-23
5.0
CVE-2014-3101
XF

ibm -- rational_clearcase
The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
2014-09-23
5.0
CVE-2014-3103
XF

ibm -- rational_clearcase
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
2014-09-23
5.0
CVE-2014-3104
XF

ibm -- rational_clearcase
The OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names via a series of requests.
2014-09-23
5.0
CVE-2014-3105
XF

ibm -- rational_clearcase
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not properly implement the Local Access Only protection mechanism, which allows remote attackers to bypass authentication and read files via the Help Server Administration feature.
2014-09-23
5.0
CVE-2014-3106
XF

ibm -- websphere_application_server
Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
2014-09-23
6.0
CVE-2014-4816
XF

igolf -- igolf_-_golf_gps
The iGolf - Golf GPS (aka com.igolf) application 20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5968
MISC

ingen-studios -- conquest_of_fantasia
The Conquest Of Fantasia (aka air.com.ingen.studios.cof.sg) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6014
MISC

iphone4 -- iphone4.tw
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6648
MISC

ipposan -- memetan
The memetan (aka memetan.android.com.activity) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5978
MISC

jig -- jigbrowser+
The jigbrowser+ application 1.8.1 and earlier for iOS allows remote attackers to bypass the Same Origin Policy via crafted _javascript_ code.
2014-09-26
5.8
CVE-2014-5318
CONFIRM
JVNDB
JVN

kbv -- federal_doctors
The BundesArztsuche (aka de.kbv.bas) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5960
MISC

krstarica -- forum_krstarice
The Forum Krstarice (aka com.tapatalk.forumkrstaricacom) application 3.5.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6662
MISC

lazyer -- doodle_drop
The Doodle Drop (aka net.lazyer.DoodleDrop) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6017
MISC

letshare -- world_cup_2014_brazil_-_xem_tv
The World Cup 2014 Brazil - Xem TV (aka vn.letshare.football.worldcup) application 2.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6671
MISC

likeheroapp -- likehero_get_instagram_likes
The LikeHero Get Instagram Likes (aka com.fraoula.likehero) application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6007
MISC

loving.fm -- loving_-_couple_essentia
The Loving - Couple Essential (aka com.xiaoenai.app) application 4.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5972
MISC

marksdailyapple -- mark's_daily_apple_forum
The Mark's Daily Apple Forum (aka com.tapatalk.marksdailyapplecomforum) application 2.4.9.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6642
MISC

megabank -- megabank
The MegaBank (aka com.megabank.mobilebank) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5964
MISC

microsoft -- nokia_asha_501_software
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.
2014-09-21
6.6
CVE-2014-6602
MISC

mobile_face_project -- mobile_face
The Mobile Face (aka com.wFacemobile) application 0.74.13432.91159 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5977
MISC

mol -- mol_bringapont
The MOL bringaPONT (aka hu.mol.bringapont) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6684
MISC

moweather -- moweather
The MoWeather (aka com.moji.moweather) application 1.40.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5981
MISC

mr384_project -- mzone_login
The Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5665
MISC

mybroadband -- mybroadband_tapatalk
The MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6649
MISC

mytx -- tx_smart
The tx Smart (aka com.wooriwm.txsmart) application 7.05 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-19
5.4
CVE-2014-5959
MISC

najeebmedia -- n-media_file_uploader
Unrestricted file upload vulnerability in the N-Media file uploader plugin before 3.4 for WordPress allows remote authenticated users to execute arbitrary PHP code by leveraging Author privileges to store a file.
2014-09-26
6.5
CVE-2014-5324
JVNDB
JVN

nana_project -- african_radios_live
The African Radios Live (aka com.nana.africanradioslive) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6668
MISC

netjapan -- tsushima_travel_guide
The Tsushima Travel Guide (aka com.netjapan.ntsushima) application 1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6685
MISC

nextgenupdate -- nextgenupdate
The NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6650
MISC

nuphoto -- nusquare
The nuSquare (aka tw.com.nuphoto.nusquare) application 1.0.78 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6013
MISC

openelectrical -- open_electrical_webser
The Open Electrical Webser (aka com.wOpenElectricalWeb) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6683
MISC

planetofthevapes -- planet_of_the_vapes_forum
The Planet of the Vapes Forum (aka com.tapatalk.planetofthevapescoukforums) application 3.7.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6651
MISC

playcomo -- little_dragons
The Little Dragons (aka com.playcomo.dragongame) application 1.0.256 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5984
MISC

pocket_cam_photo_editor_project -- pocket_cam_photo_editor
The Pocket Cam Photo Editor (aka mobi.pocketcam.editor) application 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6004
MISC

pocketmags -- inside_crochet
The Inside Crochet (aka com.magazinecloner.insidecrochet) application @7F08017A for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6669
MISC

praninc -- facebook_facts
The Facebook Facts (aka com.wFacebookFacts) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6637
MISC

preplaysports -- mlb_preplay
The MLB Preplay (aka com.preplay.android.mlb) application 5.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5993
MISC

psecu -- psecu_mobile+
The PSECU Mobile+ (aka com.Vertifi.Mobile.P231381116) application 2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5974
MISC

psychology_project -- psychology
The psychology (aka com.alek.psychology) application 1.0.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6019
MISC

puzzles_and_matchup_games_project -- educational_puzzles_-_letters
The Educational Puzzles - Letters (aka com.EducationalPuzzlesLetters) application 2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5986
MISC

quranedu -- ahmed_bukhatir_nasheeds_tv
The Ahmed Bukhatir Nasheeds TV (aka com.wAhmedBukhatirApp) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6665
MISC

redhat -- network_satellite
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.
2014-09-22
4.3
CVE-2014-3595
SECUNIA

rsupport -- lg_telepresence
The LG Telepresence (aka com.rsupport.rtc.lge) application 2.0.12 Build 63 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6636
MISC

runkeeper -- runkeeper_-_gps_track_run_walk
The RunKeeper - GPS Track Run Walk (aka com.fitnesskeeper.runkeeper.pro) application 4.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5982
MISC

rutaexacta -- ruta_exacta
The Ruta Exacta (aka com.rutaexacta.m) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6675
MISC

s-peek -- s-peek_credit_rating_report
The s-peek credit rating report (aka com.rhomobile.speek) application 2.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6023
MISC

santiagosarceda -- elforro.com
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6647
MISC

secondfiction -- blitz_bingo
The Blitz Bingo (aka com.appMobi.sbbingo.app) application 2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6008
MISC

singaporemotherhood -- singaporemotherhood_forum
The SingaporeMotherhood Forum (aka com.tapatalk.singaporemotherhoodcomforum) application 3.6.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6670
MISC

skin_conditions_and_diseases_project -- skin_conditions_and_diseases
The Skin Conditions and Diseases (aka com.appsgeyser.wSkinConditions) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5991
MISC

skydrive_assistant_project -- skydrive_assistant
The SkyDrive Assistant (aka com.dhh.sky) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5998
MISC

socialknowledge -- aquarium_advice
The Aquarium Advice (aka com.socialknowledge.aquariumadvice) application 3.7.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5973
MISC

sos -- jobscheduler
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.
2014-09-23
5.8
CVE-2014-5392
CONFIRM

successsecrets -- successsecrets_project
The successsecrets (aka com.alek.successsecrets) application 1.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5992
MISC

survey.com -- survey.com_mobile
The Survey.com Mobile (aka com.survey.android) application 3.2.16 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6005
MISC

telenavsoftware -- autonavi
The autonavi (aka com.telenav.doudouyou.android.autonavi) application 4.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5999
MISC

threadflip -- threadflip_:_buy,_sell_fashion
The Threadflip : Buy, Sell Fashion (aka com.threadflip.android) application 1.1.11 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-5983
MISC

three -- my3
The My3 - by 3HK (aka com.my3) application @7F0A0001 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5987
CERT-VN
MISC

ticketroundup -- ticket_round_up
The Ticket Round Up (aka com.xcr.android.ticketroundupapp) application 3.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6677
MISC

tiomobilepay -- tio_mobilepay_-_bill_payments
The TIO MobilePay - Bill Payments (aka com.tionetworks.mobile.android.tioclient) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6639
MISC

toddm -- gravity_bounce
The Gravity Bounce (aka net.toddm.gb) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6012
MISC

topappsbuilder_project -- animal_kaiser_zangetsu
The Animal Kaiser Zangetsu (aka com.wAnimalKaiserZangetsu) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5985
MISC

tucarro -- tucarro
The TuCarro (aka com.tucarro) application 2.0.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6015
MISC

tvbengali -- tv_bengali_open_directory
The TV Bengali Open Directory (aka com.TVBengali) application 1.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-20
5.4
CVE-2014-5979
MISC

versentbooks -- versent_books
The Versent Books (aka com.versentbooks) application 1.1.99 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6022
MISC

wireshark -- wireshark
Use-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors.
2014-09-20
5.0
CVE-2014-6421
CONFIRM
CONFIRM

wireshark -- wireshark
The SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector.
2014-09-20
5.0
CVE-2014-6422
CONFIRM
CONFIRM

wireshark -- wireshark
The tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line.
2014-09-20
5.0
CVE-2014-6423
CONFIRM
CONFIRM

wireshark -- wireshark
The dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet.
2014-09-20
5.0
CVE-2014-6424
CONFIRM
CONFIRM

wireshark -- wireshark
The (1) get_quoted_string and (2) get_unquoted_string functions in epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark 1.12.x before 1.12.1 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a CUPS packet that lacks a trailing ' ' character.
2014-09-20
5.0
CVE-2014-6425
CONFIRM
CONFIRM

wireshark -- wireshark
The dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HIP dissector in Wireshark 1.12.x before 1.12.1 does not properly handle a NULL tree, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.
2014-09-20
5.0
CVE-2014-6426
CONFIRM

wireshark -- wireshark
Off-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position.
2014-09-20
5.0
CVE-2014-6427
CONFIRM
CONFIRM

wireshark -- wireshark
The dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
2014-09-20
5.0
CVE-2014-6428
CONFIRM
CONFIRM

wireshark -- wireshark
The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
2014-09-20
5.0
CVE-2014-6429
CONFIRM
CONFIRM

wireshark -- wireshark
The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
2014-09-20
5.0
CVE-2014-6430
CONFIRM
CONFIRM

wireshark -- wireshark
Buffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer.
2014-09-20
5.0
CVE-2014-6431
CONFIRM
CONFIRM

wireshark -- wireshark
The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
2014-09-20
5.0
CVE-2014-6432
CONFIRM
CONFIRM

wizaz -- wizaz_forum
The Wizaz Forum (aka com.tapatalk.wizazplforum) application 3.6.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6652
MISC

wordbox -- algeria_radio
The Algeria Radio (aka com.wordbox.algeriaRadio) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6678
MISC

wordbox -- mahabharata_audiocast
The Mahabharata Audiocast (aka com.wordbox.mahabharataAudiocast) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6681
MISC

wordboxapps -- afghan_radio
The Afghan Radio (aka com.wordbox.afghanRadio) application 2.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6653
MISC

wtmdesktop_project -- wtmdesktop
The wTMDesktop (aka com.wTMDesktop) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6638
MISC

wtrootrootvizle_project -- wtrootrootvizle
The wTrootrooTvIzle (aka com.wTrootrooTvIzle) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-23
5.4
CVE-2014-6654
MISC

zombie_detector_project -- zombie_detector
The Zombie Detector (aka com.jimmybolstad.zombiedetector) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
2014-09-22
5.4
CVE-2014-6009
MISC

Back to top

Low Vulnerabilities

Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info

d-bus_project -- d-bus
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.
2014-09-22
2.1
CVE-2014-3637
MLIST
DEBIAN
SECUNIA

d-bus_project -- d-bus
The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
2014-09-22
2.1
CVE-2014-3638
MLIST
DEBIAN
SECUNIA

d-bus_project -- d-bus
The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.
2014-09-22
2.1
CVE-2014-3639
MLIST
DEBIAN
SECUNIA

ibm -- websphere_application_server
Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.x through 6.1.0.47, 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 allows remote authenticated administrators to inject arbitrary web script or HTML via a crafted URL.
2014-09-23
3.5
CVE-2014-4770
XF

ibm -- curam_social_program_management
Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management (SPM) 6.0.4 before 6.0.4.5 iFix7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
2014-09-23
3.5
CVE-2014-6091

Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

OTHER RESOURCES:

Contact Us | Security Publications | Alerts and Tips | Related Resources

STAY CONNECTED:

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help

This email was sent to linux-security@xxxxxxxxxxx using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110