Vulnerability Summary for the Week of July 7, 2014

Please Note:

• The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low.

• The CVE indentity number is the publicly known ID given to that particular vulnerability. Therefore you can search the status of that particular vulnerability using that ID.

• The CVSS (Common Vulnerability Scoring System) score is a standard scoring system used to determine the severity of the vulnerability.

High Severity Vulnerabilities The Primary Vendor --- Description Date CVSS The CVE Product Published Score Identity aas9 -- zerocms SQL injection vulnerability in 2014-07-09 7.5 CVE-2014-4194 MISC zero_transact_article. in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter in a Submit Comment action. adobe -- adobe_air Adobe Flash Player before 13.0.0.231 and 14.x 2014-07-09 7.5 CVE-2014-0537 before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014- 0539. adobe -- adobe_air Adobe Flash Player before 13.0.0.231 and 14.x 2014-07-09 7.5 CVE-2014-0539 before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014- 0537. artifectx -- xclassified SQL injection vulnerability in demo/ads.php in 2014-07-09 7.5 CVE-2014-4741 BID Artifectx xClassified 1.2 allows remote attackers MISC to execute arbitrary SQL commands via the catid parameter. autodesk -- vred Autodesk VRED Professional 2014 before SR1 2014-07-07 10.0 CVE-2014-2967 CERT-VN SP8 allows remote attackers to execute arbitrary code via Python os library calls in Python API commands to the integrated web server. avg -- safeguard ScriptHelperApi in the AVG ScriptHelper ActiveX 2014-07-08 9.3 CVE-2014-2956 CERT-VN control in ScriptHelper.exe in AVG Secure Search toolbar before 18.1.7.598 and AVG Safeguard before 18.1.7.644 does not implement domain- based access control for method calls, which allows remote attackers to trigger the downloading and execution of arbitrary programs via a crafted web site. cisco -- The Administration GUI in the in 2014-07-07 9.0 CVE-2014-2197 unified_cdm_application_ Cisco Unified Communications Domain Manager software (CDM) in Unified CDM Application Software before 8.1.4 does not properly implement access control, which allows remote authenticated users to modify administrative credentials via a crafted URL, aka Bug ID CSCun49862. cisco -- Cisco Unified Communications Domain Manager 2014-07-07 10.0 CVE-2014-2198 unified_cdm_platform_so (CDM) in Unified CDM Platform Software before ftware 4.4.2 has a hardcoded SSH private key, which makes it easier for remote attackers to obtain access to the support and root accounts by extracting this key from a binary file found in a different installation of the product, aka Bug ID CSCud41130. cisco -- The BVSMWeb portal in the web framework in 2014-07-07 7.5 CVE-2014-3300 unified_cdm_application_ Cisco Unified Communications Domain Manager software (CDM) in Unified CDM Application Software before 10 does not properly implement access control, which allows remote attackers to modify user information via a crafted URL, aka Bug ID CSCum77041. dahuasecurity -- Dahua DVR 2.608.0000.0 and 2.608.GV00.0 2014-07-11 7.5 CVE-2013-6117 OSVDB dvr_firmware allows remote attackers to bypass EXPLOIT-DB authentication and obtain sensitive information BUGTRAQ including user credentials, change user MISC MISC passwords, clear log files, and perform other actions via a request to TCP port 37777. docker -- docker Docker 1.0.0 uses world-readable and world- 2014-07-11 7.2 CVE-2014-3499 CONFIRM writable permissions on the management REDHAT socket, which allows local users to gain privileges via unspecified vectors. emc -- EMC Documentum Content Server before 6.7 2014-07-08 8.2 CVE-2014-2513 BUGTRAQ documentum_content_se SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and rver 7.1 before P06 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script. emc -- EMC Documentum Content Server before 6.7 2014-07-08 8.2 CVE-2014-2514 BUGTRAQ documentum_content_se SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and rver 7.1 before P06 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors. foecms -- foecms SQL injection vulnerability in index.php in 2014-07-10 7.5 CVE-2014-4850 MISC FoeCMS allows remote attackers to execute arbitrary SQL commands via the i parameter. hp -- sitescope Unspecified vulnerability in HP SiteScope 11.1x 2014-07-07 7.5 CVE-2014-2614 through 11.13 and 11.2x through 11.24 allows remote attackers to bypass authentication via unknown vectors, aka ZDI-CAN-2140. hp -- Unspecified vulnerability in HP Universal CMDB 2014-07-07 7.5 CVE-2014-2615 universal_configuration_ 10.01 and 10.10 allows remote attackers to management_database execute arbitrary code or obtain sensitive information via unknown vectors, aka ZDI-CAN- 2083. hp -- Unspecified vulnerability in HP Universal CMDB 2014-07-07 7.5 CVE-2014-2616 universal_configuration_ 10.01 and 10.10 allows remote attackers to management_database execute arbitrary code or obtain sensitive information via unknown vectors, aka ZDI-CAN- 2091. hp -- Unspecified vulnerability in HP Universal CMDB 2014-07-07 10.0 CVE-2014-2617 universal_configuration_ 10.01 and 10.10 allows remote attackers to management_database execute arbitrary code or obtain sensitive information via unknown vectors, aka ZDI-CAN- 2104. microsoft -- windows_7 Double free vulnerability in the Ancillary 2014-07-08 7.2 CVE-2014-1767 Function Driver (AFD) in afd.sys in the kernel- mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability." microsoft -- windows_7 Windows Journal in Microsoft Windows Vista 2014-07-08 9.3 CVE-2014-1824 SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted Journal (aka .JNT) file, aka "Windows Journal Remote Code Execution Vulnerability." microsoft -- windows_7 Microsoft Windows Vista SP2, Windows Server 2014-07-08 7.6 CVE-2014-2781 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly restrict the exchange of keyboard and mouse data between programs at different integrity levels, which allows attackers to bypass intended access restrictions by leveraging control over a low-integrity process to launch the On-Screen Keyboard (OSK) and then upload a crafted application, aka "On-Screen Keyboard Elevation of Privilege Vulnerability." microsoft -- Microsoft Internet Explorer 7 allows remote 2014-07-08 9.3 CVE-2014-2785 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 9 through 11 allows 2014-07-08 9.3 CVE-2014-2786 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2792 and CVE-2014- 2813. microsoft -- Microsoft Internet Explorer 11 allows remote 2014-07-08 9.3 CVE-2014-2787 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2790, CVE-2014- 2802, and CVE-2014-2806. microsoft -- Microsoft Internet Explorer 6 and 7 allows 2014-07-08 9.3 CVE-2014-2788 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2794. microsoft -- Microsoft Internet Explorer 8 through 11 allows 2014-07-08 9.3 CVE-2014-2789 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2795, CVE-2014- 2798, and CVE-2014-2804. microsoft -- Microsoft Internet Explorer 11 allows remote 2014-07-08 9.3 CVE-2014-2790 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014- 2802, and CVE-2014-2806. microsoft -- Microsoft Internet Explorer 9 allows remote 2014-07-08 9.3 CVE-2014-2791 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 9 through 11 allows 2014-07-08 9.3 CVE-2014-2792 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2786 and CVE-2014- 2813. microsoft -- Microsoft Internet Explorer 6 and 7 allows 2014-07-08 9.3 CVE-2014-2794 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2788. microsoft -- Microsoft Internet Explorer 8 through 11 allows 2014-07-08 9.3 CVE-2014-2795 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2789, CVE-2014- 2798, and CVE-2014-2804. microsoft -- Microsoft Internet Explorer 6 through 8 allows 2014-07-08 9.3 CVE-2014-2797 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 8 through 11 allows 2014-07-08 9.3 CVE-2014-2798 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2789, CVE-2014- 2795, and CVE-2014-2804. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-07-08 9.3 CVE-2014-2800 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2807 and CVE-2014- 2809. microsoft -- Microsoft Internet Explorer 10 and 11 allows 2014-07-08 9.3 CVE-2014-2801 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 11 allows remote 2014-07-08 9.3 CVE-2014-2802 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014- 2790, and CVE-2014-2806. microsoft -- Microsoft Internet Explorer 8 through 10 allows 2014-07-08 9.3 CVE-2014-2803 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 8 through 11 allows 2014-07-08 9.3 CVE-2014-2804 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2789, CVE-2014- 2795, and CVE-2014-2798. microsoft -- Microsoft Internet Explorer 11 allows remote 2014-07-08 9.3 CVE-2014-2806 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2787, CVE-2014- 2790, and CVE-2014-2802. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-07-08 9.3 CVE-2014-2807 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2800 and CVE-2014- 2809. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-07-08 9.3 CVE-2014-2809 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2800 and CVE-2014- 2807. microsoft -- Microsoft Internet Explorer 9 through 11 allows 2014-07-08 9.3 CVE-2014-2813 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2786 and CVE-2014- 2792. netgear -- gs108pe NETGEAR GS108PE Prosafe Plus switches with 2014-07-07 8.3 CVE-2014-2969 CERT-VN firmware 1.2.0.5 have a hardcoded password of debugpassword for the ntgruser account, which allows remote attackers to upload firmware or read or modify memory contents, and consequently execute arbitrary code, via a request to (1) produce_burn.cgi, (2) register_debug.cgi, or (3) bootcode_update.cgi. netiq -- security_manager Directory traversal vulnerability in the 2014-07-07 7.5 CVE-2014-0602 DumpToFile method in the NQMcsVarSet ActiveX control in NetIQ Security Manager through 6.5.4 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3460. php -- php The SPL component in PHP before 5.4.30 and 2014-07-09 7.5 CVE-2014-3515 CONFIRM 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage. realnetworks -- realplayer Multiple buffer overflows in RealNetworks 2014-07-07 9.3 CVE-2014-3113 MISC RealPlayer before 17.0.10.8 allow remote attackers to execute arbitrary code via a malformed (1) elst or (2) stsz atom in an MP4 file. rubyonrails -- SQL injection vulnerability in 2014-07-07 7.5 CVE-2014-3482 MLIST ruby_on_rails activerecord/lib/active_record/connection_adap MLIST ters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. rubyonrails -- SQL injection vulnerability in 2014-07-07 7.5 CVE-2014-3483 MLIST ruby_on_rails activerecord/lib/active_record/connection_adap MLIST ters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting. thedigitalcraft -- atomcms SQL injection vulnerability in 2014-07-10 7.5 CVE-2014-4852 BID admin/uploads.php in The Digital Craft MISC AtomCMS, possibly 2.0, allows remote attackers to execute arbitrary SQL commands via the id parameter. xnview -- xnview Heap-based buffer overflow in the xjpegls.dll 2014-07-09 9.3 CVE-2012-4988 XF (aka JLS, JPEG-LS, or JPEG lossless) format plugin BID in XnView 1.99 and 1.99.1 allows remote MISC attackers to execute arbitrary code via a crafted SECUNIA FULLDISC JLS image file. OSVDB yokogawa -- Stack-based buffer overflow in BKFSim_vhfd.exe 2014-07-10 8.3 CVE-2014-3888 b/m9000_vp_software in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier, when FCS/Test Function is enabled, allows remote attackers to execute arbitrary code via a crafted packet.

Medium Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity adobe -- adobe_air Adobe Flash Player before 13.0.0.231 and 14.x 2014-07-09 6.8 CVE-2014-4671 MISC before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. apache -- cxf The SecurityTokenService (STS) in Apache CXF 2014-07-07 4.3 CVE-2014-0034 REDHAT before 2.6.12 and 2.7.x before 2.7.9 does not REDHAT properly validate SAML tokens when caching is REDHAT enabled, which allows remote attackers to gain access via an invalid SAML token. apache -- cxf The SymmetricBinding in Apache CXF before 2.6.13 2014-07-07 4.3 CVE-2014-0035 and 2.7.x before 2.7.10, when EncryptBeforeSigning REDHAT REDHAT is enabled and the UsernameToken policy is set to REDHAT an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network. apache -- syncope Apache Syncope 1.1.x before 1.1.8 uses weak 2014-07-11 5.0 CVE-2014-3503 BID random values to generate passwords, which BUGTRAQ makes it easier for remote attackers to guess the MISC password via a brute force attack. blogstand_banner_ Cross-site scripting (XSS) vulnerability in the 2014-07-10 4.3 CVE-2014-4848 MISC plugin_project -- Blogstand Banner (blogstand-smart-banner) plugin blogstand-smart- 1.0 for WordPress allows remote attackers to inject banner arbitrary web script or HTML via the bs_blog_id parameter to wp-admin/options-general.php. buffercode -- Cross-site scripting (XSS) vulnerability in the 2014-07-10 4.3 CVE-2014-4847 MISC random_banner Random Banner plugin 1.1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the buffercode_RBanner_url_banner1 parameter in an update action to wp- admin/options.php. christos_zoulas -- The cdf_read_short_sector function in cdf.c in file 2014-07-09 4.3 CVE-2014-0207 CONFIRM file before 5.19, as used in the Fileinfo component in CONFIRM PHP before 5.4.30 and 5.5.x before 5.5.14, allows MLIST remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file. christos_zoulas -- Buffer overflow in the mconvert function in 2014-07-09 5.0 CVE-2014-3478 CONFIRM file softmagic.c in file before 5.19, as used in the MLIST Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion. christos_zoulas -- The cdf_check_stream_offset function in cdf.c in 2014-07-09 4.3 CVE-2014-3479 CONFIRM file file before 5.19, as used in the Fileinfo component MLIST in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file. christos_zoulas -- The cdf_count_chain function in cdf.c in file before 2014-07-09 4.3 CVE-2014-3480 CONFIRM file 5.19, as used in the Fileinfo component in PHP MLIST before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. christos_zoulas -- The cdf_read_property_info function in file before 2014-07-09 4.3 CVE-2014-3487 CONFIRM file 5.19, as used in the Fileinfo component in PHP MLIST before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. cisco -- Cisco IOS XR on Trident line cards in ASR 9000 2014-07-07 6.4 CVE-2014-3308 asr_9000_rsp440_r devices lacks a static punt policer, which allows outer remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets, aka Bug ID CSCun83985. cisco -- ios The NTP implementation in Cisco IOS and IOS XE 2014-07-09 5.0 CVE-2014-3309 does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318. cisco -- The File Transfer feature in WebEx Meetings Client 2014-07-10 4.3 CVE-2014-3310 webex_meeting_ce in Cisco WebEx Meetings Server and WebEx nter Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463. cisco -- Heap-based buffer overflow in the file-sharing 2014-07-10 5.1 CVE-2014-3311 webex_meeting_ce feature in WebEx Meetings Client in Cisco WebEx nter Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467. cisco -- spa901_1- The debug console interface on Cisco Small 2014-07-09 6.9 CVE-2014-3312 line_ip_phone Business SPA300 and SPA500 phones does not properly perform authentication, which allows local users to execute arbitrary debug-shell commands, or read or modify data in memory or a filesystem, via direct access to this interface, aka Bug ID CSCun77435. cisco -- spa901_1- Cross-site scripting (XSS) vulnerability in the web 2014-07-09 4.3 CVE-2014-3313 line_ip_phone user interface on Cisco Small Business SPA300 and SPA500 phones allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuo52582. cisco -- Cross-site scripting (XSS) vulnerability in 2014-07-10 4.3 CVE-2014-3315 unified_communica viewfilecontents.do in the Dialed Number Analyzer tions_manager (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308. cisco -- The Multiple Analyzer in the Dialed Number 2014-07-10 4.0 CVE-2014-3316 unified_communica Analyzer (DNA) component in Cisco Unified tions_manager Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297. cisco -- Directory traversal vulnerability in 2014-07-10 4.0 CVE-2014-3318 unified_communica dna/viewfilecontents.do in the Dialed Number tions_manager Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via a crafted URL, aka Bug ID CSCup76318. citrix -- xendesktop Citrix XenDesktop 7.x, 5.x, and 4.x, when pooled 2014-07-11 4.9 CVE-2014-4700 random desktop groups is enabled and ShutdownDesktopsAfterUse is disabled, allows local guest users to gain access to another user's desktop via unspecified vectors. custom_banners_pl Cross-site scripting (XSS) vulnerability in the 2014-07-07 4.3 CVE-2014-4724 MISC ugin_project -- Custom Banners plugin 1.2.2.2 for WordPress allows custom_banners remote attackers to inject arbitrary web script or HTML via the custom_banners_registered_name parameter to wp-admin/options.php. -link -- dir-645 Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-07 4.3 CVE-2013-7389 MISC D-Link DIR-645 Router (Rev. A1) with firmware OSVDB before 1.04B11 allow remote attackers to inject OSVDB arbitrary web script or HTML via the (1) deviceid OSVDB parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php. dolibarr -- dolibarr Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-11 4.3 CVE-2014-3991 MISC Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu parameter to index.php; the (8) dol_use_jmobile, (9) dol_optimize_smallscreen, (10) dol_no_mouse_hover, (11) dol_hide_topmenu, or (12) dol_hide_leftmenu parameter to user/index.php; the (13) dol_use_jmobile, (14) dol_optimize_smallscreen, (15) dol_no_mouse_hover, (16) dol_hide_topmenu, or (17) dol_hide_leftmenu parameter to user/logout.php; the (18) email, (19) firstname, (20) job, (21) lastname, or (22) login parameter in an update action in a "User Card" to user/fiche.php; or the (23) modulepart or (24) file parameter to viewimage.php. dolibarr -- dolibarr Multiple SQL injection vulnerabilities in Dolibarr 2014-07-11 6.5 CVE-2014-3992 MISC ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php. easy_banners_plugi Cross-site scripting (XSS) vulnerability in the Easy 2014-07-07 4.3 CVE-2014-4723 MISC n_project -- Banners plugin 1.4 for WordPress allows remote easy_banners attackers to inject arbitrary web script or HTML via the name parameter to wp-admin/options- general.php. email::address_mod Email::Address module before 1.904 for uses an 2014-07-06 5.0 CVE-2014-4720 CONFIRM ule_project -- inefficient regular expression, which allows remote MLIST email::address attackers to cause a denial of service (CPU consumption) via vectors related to "backtracking into the phrase," a different vulnerability than CVE- 2014-0477. emc -- centerstage The JAXB XML parser in EMC Documentum 2014-07-08 6.8 CVE-2014-2510 BUGTRAQ Foundation Services (DFS) 6.6 before P39, 6.7 SP1 before P28, and 6.7 SP2 before P15, as used in My Documentum for Desktop, My Documentum for Microsoft Outlook, and CenterStage, allows remote authenticated users to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. foecms -- foecms Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-10 4.3 CVE-2014-4849 MISC msg.php in FoeCMS allow remote attackers to inject arbitrary web script or HTML via the (1) e or (2) r parameter. foecms -- foecms Open redirect vulnerability in msg.php in FoeCMS 2014-07-10 5.8 CVE-2014-4851 MISC allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the r parameter. foxitsoftware -- Buffer overflow in the FPDFBookmark_GetTitle 2014-07-07 6.8 CVE-2014-4646 MISC foxit_pdf_sdk_dll method in Foxit PDF SDK DLL before 3.1.1.5005 SECUNIA allows context-dependent attackers to execute arbitrary code via unspecified vectors. ibm -- IBM Flex System Manager (FSM) 1.1 through 1.3 2014-07-07 5.0 CVE-2013-5423 XF flex_system_manag before 1.3.2.0 allows remote attackers to AIXAPAR er enumerate user accounts via unspecified vectors. ibm -- The firmware before 3.66E in IBM BladeCenter 2014-07-07 5.0 CVE-2014-0860 XF advanced_manage Advanced Management Module (AMM), the ment_module firmware before 1.43 in IBM Integrated Management Module (IMM), and the firmware before 4.15 in IBM Integrated Management Module II (IMM2) contains cleartext IPMI credentials, which allows attackers to execute arbitrary IPMI commands, and consequently establish a blade remote-control session, by leveraging access to (1) the chassis internal network or (2) the Ethernet- over-USB interface. ibm -- Multiple cross-site request forgery (CSRF) 2014-07-07 6.8 CVE-2014-0864 MISC algo_credit_limits vulnerabilities in Executer in RICOS in IBM Algo XF Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to hijack the authentication of arbitrary users for requests that change (1) a deal's currency or (2) a limit via a crafted XML document. ibm -- RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 2014-07-07 4.9 CVE-2014-0865 MISC algo_credit_limits through 4.7.0 before 4.7.0.03 FP5 in IBM XF Algorithmics relies on client-side input validation, CONFIRM which allows remote authenticated users to bypass intended dual-control restrictions and modify data via crafted serialized objects, as demonstrated by limit manipulations. ibm -- RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 2014-07-07 4.3 CVE-2014-0866 MISC algo_credit_limits through 4.7.0 before 4.7.0.03 FP5 in IBM XF Algorithmics sends cleartext credentials over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network. ibm -- rcore6/main/addcookie.jsp in RICOS in IBM Algo 2014-07-07 5.8 CVE-2014-0867 MISC algo_credit_limits Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before XF 4.7.0.03 FP5 in IBM Algorithmics allows remote attackers to create or modify cookies via the query string. ibm -- RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 2014-07-07 4.9 CVE-2014-0868 MISC algo_credit_limits through 4.7.0 before 4.7.0.03 FP5 in IBM XF Algorithmics relies on client-side input validation, which allows remote authenticated users to bypass intended dual-control restrictions and modify data via a crafted XML document, as demonstrated by manipulation of read-only limit data. ibm -- The decrypt function in RICOS in IBM Algo Credit 2014-07-07 4.3 CVE-2014-0869 MISC algo_credit_limits Limits (aka ACLM) 4.5.0 through 4.7.0 before XF 4.7.0.03 FP5 in IBM Algorithmics does not require a key, which makes it easier for remote attackers to obtain cleartext passwords by sniffing the network and then providing a string argument to this function. ibm -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-07 4.3 CVE-2014-0870 MISC algo_credit_limits RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 XF through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to inject arbitrary web script or HTML via (1) the Message parameter to rcore6/main/showerror.jsp, (2) the ButtonsetClass parameter to rcore6/main/buttonset.jsp, (3) the MBName parameter to rcore6/frameset.jsp, (4) the Init parameter to algopds/rcore6/main/browse.jsp, or the (5) Name, (6) StoreName, or (7) STYLESHEET parameter to algopds/rcore6/main/ibrowseheader.jsp. ibm -- RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 2014-07-07 4.3 CVE-2014-0871 MISC algo_credit_limits through 4.7.0 before 4.7.0.03 FP5 in IBM XF Algorithmics allows remote attackers to obtain potentially sensitive Tomcat stack-trace information via non-printing characters in a cookie to the /classes/ URI, as demonstrated by the \x00 character. -- kajona Cross-site scripting (XSS) vulnerability in 2014-07-09 4.3 CVE-2014-4742 MISC system/class_link.php in the System module CONFIRM (module_system) in Kajona before 4.5 allows SECUNIA remote attackers to inject arbitrary web script or HTML via the systemid parameter in a mediaFolder action to index.php. kajona -- kajona Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-09 4.3 CVE-2014-4743 CONFIRM (1) search_ajax.tpl and (2) search_ajax_small.tpl in SECUNIA templates/default/tpl/module_search/ in the Search module (module_search) in Kajona before 4.5 allow remote attackers to inject arbitrary web script or HTML via the search parameter. liferay -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-10 4.3 CVE-2014-2963 CONFIRM liferay_portal group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter. linux -- linux_kernel The Linux kernel before 3.15.4 on Intel processors 2014-07-09 6.9 CVE-2014-4699 CONFIRM does not properly restrict use of a non-canonical CONFIRM value for the saved RIP address in the case of a MLIST system call that does not use IRET, which allows CONFIRM MLIST local users to leverage a race condition and gain MLIST privileges, or cause a denial of service (double MLIST fault), via a crafted application that makes ptrace CONFIRM and fork system calls. matchalabs -- Cross-site scripting (XSS) vulnerability in the Meta 2014-07-10 4.3 CVE-2014-4846 MISC metaslider Slider (ml-slider) plugin 2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter to wp- admin/admin.php. microsoft -- DirectShow in Microsoft Windows Vista SP2, 2014-07-08 6.9 CVE-2014-2780 windows_7 Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows local users to gain privileges by leveraging control over a low-integrity process to execute a crafted application, aka "DirectShow Elevation of Privilege Vulnerability." microsoft -- Microsoft Internet Explorer 7 through 11 does not 2014-07-08 6.4 CVE-2014-2783 internet_explorer prevent use of wildcard EV SSL certificates, which might allow remote attackers to spoof a trust level by leveraging improper issuance of a wildcard certificate by a recognized Certification Authority, aka "Extended Validation (EV) Certificate Security Feature Bypass Vulnerability." microsoft -- Microsoft Service Bus 1.1 on Microsoft Windows 2014-07-08 4.0 CVE-2014-2814 service_bus Server 2008 R2 SP1 and Server 2012 Gold and R2 allows remote authenticated users to cause a denial of service (AMQP messaging outage) via crafted AMQP messages, aka "Service Bus Denial of Service Vulnerability." ocsinventory-ng -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-07 4.3 CVE-2014-4722 BID ocsinventory_ng the OCS Reports Web Interface in OCS Inventory NG MISC allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. op5 -- monitor Cross-site scripting (XSS) vulnerability in 2014-07-11 4.3 CVE-2014-4907 share/pnp/application/views/kohana_error_page.p CONFIRM BID hp in PNP4Nagios before 0.6.22 allows remote SECUNIA attackers to inject arbitrary web script or HTML via a MLIST parameter that is not properly handled in an error message. opendocman -- Cross-site scripting (XSS) vulnerability in odm- 2014-07-10 4.3 CVE-2014-4853 MISC opendocman init.php in OpenDocMan before 1.2.7.3 allows MISC remote authenticated users to inject arbitrary web script or HTML via the file name of an uploaded file. osticket -- osticket Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-09 4.3 CVE-2014-4744 MISC osTicket before 1.9.2 allow remote attackers to SECUNIA inject arbitrary web script or HTML via the (1) Phone Number field to open.php or (2) Phone number field, (3) passwd1 field, (4) passwd2 field, or (5) do parameter to account.php. php -- php Use-after-free vulnerability in ext/spl/spl_dllist.c in 2014-07-10 4.6 CVE-2014-4670 CONFIRM the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments. php -- php Use-after-free vulnerability in ext/spl/spl_array.c in 2014-07-10 4.6 CVE-2014-4698 CONFIRM the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments. pnp4nagios -- Cross-site scripting (XSS) vulnerability in 2014-07-09 4.3 CVE-2014-4740 BID pnp4nagios share/pnp/application/views/kohana_error_page.p SECUNIA hp in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, which is not properly handled in an error message. pnp4nagios -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-07-11 4.3 CVE-2014-4908 BID pnp4nagios PNP4Nagios through 0.6.22 allow remote attackers SECUNIA to inject arbitrary web script or HTML via the URI MLIST used for reaching (1) share/pnp/application/views/kohana_error_page.p hp or (2) share/pnp/application/views/template.php, leading to improper handling within an http- equiv="refresh" META element. polldaddy_polls_&_ Cross-site scripting (XSS) vulnerability in the 2014-07-10 4.3 CVE-2014-4856 SECUNIA ratings_plugin_proj Polldaddy Polls & Ratings plugin before 2.0.25 for ect -- WordPress allows remote attackers to inject polldaddy_polls_&_ arbitrary web script or HTML via vectors related to a ratings ratings shortcode and a unique ID. NOTE: some of these details are obtained from third party information. polylang_plugin_pr Cross-site scripting (XSS) vulnerability in the 2014-07-10 4.3 CVE-2014-4855 SECUNIA oject -- polylang Polylang plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via vectors related to a user description. NOTE: some of these details are obtained from third party information. redhat -- Cumin (aka MRG Management Console), as used in 2014-07-11 4.3 CVE-2014-0174 enterprise_mrg Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. redhat -- Cross-site scripting (XSS) vulnerability in 2014-07-07 4.3 CVE-2014-0176 cloudforms_3.0_ma application/panel_control in CloudForms 3.0 nagement_engine Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. redhat -- The wait_for_task function in 2014-07-07 5.0 CVE-2014-0180 cloudforms_3.0_ma app/controllers/application_controller.rb in Red nagement_engine Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors. redhat -- Red Hat CloudForms 3.0 Management Engine 2014-07-07 4.9 CVE-2014-0184 cloudforms_3.0_ma (CFME) before 5.2.4.2 logs the root password when nagement_engine deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. redhat -- org.jboss.seam.web.AuthenticationFilter in Red Hat 2014-07-07 6.8 CVE-2014-0248 SECTRACK jboss_enterprise_ap JBoss Web Framework Kit 2.5.0, JBoss Enterprise SECUNIA plication_platform Application Platform (JBEAP) 5.2.0, and JBoss SECUNIA Enterprise Web Platform (JBEWP) 5.2.0 allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging. redhat -- org.jboss.as.jaxrs.deployment.JaxrsIntegrationProc 2014-07-07 5.0 CVE-2014-3481 CONFIRM jboss_enterprise_ap essor in Red Hat JBoss Enterprise Application REDHAT plication_platform Platform (JEAP) before 6.2.4 enables entity REDHAT expansion, which allows remote attackers to read REDHAT arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. redhat -- The REST API in the ovirt-engine in oVirt, as used in 2014-07-11 4.0 CVE-2014-3485 SECTRACK enterprise_virtualiz Red Hat Enterprise Virtualization (rhevm) 3.4, allows ation remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue. redhat -- The (1) shell_exec function in 2014-07-07 6.9 CVE-2014-3486 CONFIRM cloudforms_3.0_ma lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file nagement_engine function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name. redhat -- lib/util/miq-password.rb in Red Hat CloudForms 3.0 2014-07-07 4.3 CVE-2014-3489 cloudforms_3.0_ma Management Engine (CFME) before 5.2.4.2 uses a nagement_engine hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. rimarts -- becky! Buffer overflow in RimArts Becky! Internet Mail 2014-07-09 6.8 CVE-2014-3891 JVNDB _internet_mail before 2.68 allows remote POP3 servers to execute JVN arbitrary code via a crafted response. smartcatdesign -- Cross-site scripting (XSS) vulnerability in the WP 2014-07-10 4.3 CVE-2014-4854 MISC wp_contruction_m Construction Mode plugin 1.8 for WordPress allows ode remote attackers to inject arbitrary web script or HTML via the wuc_logo parameter in a save action to wp-admin/admin.php. stillbreathing -- Cross-site scripting (XSS) vulnerability in the 2014-07-10 4.3 CVE-2014-4845 MISC bannerman BannerMan plugin 0.2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the bannerman_background parameter to wp-admin/options-general.php.

Low Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity ibm -- IBM InfoSphere BigInsights before 2.1.0.3 allows 2014-07-07 3.5 CVE-2013-3993 XF infosphere_biginsig remote authenticated users to bypass intended file hts and directory restrictions, or access untrusted data or code, via crafted parameters in unspecified API calls. ibm -- Active Cloud Engine (ACE) in IBM Storwize V7000 2014-07-07 3.5 CVE-2014-0875 storwize_unified_v Unified 1.3.0.0 through 1.4.3.x allows remote 7000_software attackers to bypass intended ACL restrictions in opportunistic circumstances by leveraging incorrect ACL synchronization over an unreliable NFS connection that requires retransmissions. ibm -- RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 2014-07-07 3.5 CVE-2014-0894 MISC algo_credit_limits through 4.7.0 before 4.7.0.03 FP5 in IBM XF Algorithmics allows context-dependent attackers to discover database credentials by reading the DbUser and DbPass fields in an XML document. openstack -- The L3-agent in OpenStack Neutron before 2013.2.4, 2014-07-11 3.5 CVE-2014-4167 CONFIRM neutron 2014.x before 2014.1.2, and Juno before Juno-2 UBUNTU allows remote authenticated users to cause a denial SECUNIA MLIST of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router. php -- php The phpinfo implementation in ext/standard/info.c 2014-07-06 2.6 CVE-2014-4721 MISC in PHP before 5.4.30 and 5.5.x before 5.5.14 does not CONFIRM ensure use of the string data type for the CONFIRM PHP_AUTH_PW, PHP_AUTH_TYPE, MISC PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php. xen -- xen The alloc_domain_struct function in 2014-07-09 2.7 CVE-2014-4022 SECTRACK arch/arm/domain.c in Xen 4.4.x, when running on an BID ARM platform, does not properly initialize the SECUNIA structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall. ibm -- IBM InfoSphere BigInsights before 2.1.0.3 allows 2014-07-07 3.5 CVE-2013-3993 XF infosphere_biginsig remote authenticated users to bypass intended file hts and directory restrictions, or access untrusted data or code, via crafted parameters in unspecified API calls. ibm -- Active Cloud Engine (ACE) in IBM Storwize V7000 2014-07-07 3.5 CVE-2014-0875 storwize_unified_v Unified 1.3.0.0 through 1.4.3.x allows remote 7000_software attackers to bypass intended ACL restrictions in opportunistic circumstances by leveraging incorrect ACL synchronization over an unreliable NFS connection that requires retransmissions. ibm -- RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 2014-07-07 3.5 CVE-2014-0894 MISC algo_credit_limits through 4.7.0 before 4.7.0.03 FP5 in IBM XF Algorithmics allows context-dependent attackers to discover database credentials by reading the DbUser and DbPass fields in an XML document. openstack -- The L3-agent in OpenStack Neutron before 2013.2.4, 2014-07-11 3.5 CVE-2014-4167 CONFIRM neutron 2014.x before 2014.1.2, and Juno before Juno-2 UBUNTU allows remote authenticated users to cause a denial SECUNIA of service (IPv4 address attachment outage) by MLIST attaching an IPv6 private subnet to a L3 router. php -- php The phpinfo implementation in ext/standard/info.c 2014-07-06 2.6 CVE-2014-4721 MISC in PHP before 5.4.30 and 5.5.x before 5.5.14 does not CONFIRM ensure use of the string data type for the CONFIRM PHP_AUTH_PW, PHP_AUTH_TYPE, MISC PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php. xen -- xen The alloc_domain_struct function in 2014-07-09 2.7 CVE-2014-4022 SECTRACK arch/arm/domain.c in Xen 4.4.x, when running on an BID ARM platform, does not properly initialize the SECUNIA structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall.

• Sources: http://nvd.nist.gov (For more information visit the National Vulnerabilities Database (NVD) which contains a database of every vulnerability that has ever been published).

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT