Vulnerability Summary for the Week of March 10, 2014

Please Note:

• The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low.

• The CVE indentity number is the publicly known ID given to that particular vulnerability. Therefore you can search the status of that particular vulnerability using that ID.

• The CVSS (Common Vulnerability Scoring System) score is a standard scoring system used to determine the severity of the vulnerability.

High Severity Vulnerabilities The Primary Vendor --- Description Date CVSS The CVE Product Published Score Identity adobe -- Adobe Shockwave Player before 12.1.0.150 2014-03-14 10.0 CVE-2014-0505 shockwave_player allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. apple -- iphone_os Backup in Apple iOS before 7.1 does not properly 2014-03-14 8.8 CVE-2013-5133 restrict symlinks, which allows remote attackers to overwrite files during a restore operation via crafted backup data. apple -- apple_tv CoreCapture in Apple iOS before 7.1 and Apple 2014-03-14 7.8 CVE-2014-1271 TV before 6.1 does not properly validate IOKit API calls, which allows attackers to cause a denial of service (assertion failure and device crash) via a crafted app. apple -- apple_tv The ptmx_get_ioctl function in the ARM kernel 2014-03-14 7.2 CVE-2014-1278 in Apple iOS before 7.1 and Apple TV before 6.1 allows local users to gain privileges or cause a denial of service (out-of-bounds memory access and device crash) via a crafted call. apple -- apple_tv Video Driver in Apple iOS before 7.1 and Apple 2014-03-14 7.1 CVE-2014-1280 TV before 6.1 allows remote attackers to cause a denial of service (NULL pointer dereference and device hang) via a crafted video file with MPEG-4 encoding. apple -- apple_tv USB Host in Apple iOS before 7.1 and Apple TV 2014-03-14 7.2 CVE-2014-1287 before 6.1 allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted USB messages. atcom -- netvolution SQL injection vulnerability in ATCOM 2014-03-11 7.5 CVE-2014-2318 Netvolution 3 allows remote attackers to execute arbitrary SQL commands via the m parameter. citrix -- Unspecified vulnerability in Citrix NetScaler 2014-03-11 10.0 CVE-2013-6941 netscaler_application_deli Application Delivery Controller (ADC) 9.3.x very_controller_firmware before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows users to "breakout" of the shell via unknown vectors. freetype -- freetype Stack-based buffer overflow in the 2014-03-12 7.5 CVE-2014-2240 cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file. google -- chrome Use-after-free vulnerability in 2014-03-16 7.5 CVE-2014-1700 modules/speech/SpeechSynthesis.cpp in Blink, as used in Google Chrome before 33.0.1750.149, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of a certain utterance data structure. google -- chrome Use-after-free vulnerability in the 2014-03-16 7.5 CVE-2014-1702 DatabaseThread::cleanupDatabaseThread function in modules/webdatabase/DatabaseThread.cpp in the web database implementation in Blink, as used in Google Chrome before 33.0.1750.149, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of scheduled tasks during shutdown of a thread. google -- chrome Use-after-free vulnerability in the 2014-03-16 7.5 CVE-2014-1703 WebSocketDispatcherHost::SendOrDrop function in content/browser/renderer_host/websocket_dis patcher_host.cc in the Web Sockets implementation in Google Chrome before 33.0.1750.149 might allow remote attackers to bypass the sandbox protection mechanism by leveraging an incorrect deletion in a certain failure case. google -- chrome Multiple unspecified vulnerabilities in Google V8 2014-03-16 10.0 CVE-2014-1704 before 3.23.17.18, as used in Google Chrome before 33.0.1750.149, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. google -- chrome Google V8, as used in Google Chrome before 2014-03-16 7.5 CVE-2014-1705 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. google -- chrome_os crosh in Google Chrome OS before 33.0.1750.152 2014-03-16 7.5 CVE-2014-1706 allows attackers to inject commands via unspecified vectors. google -- chrome_os Directory traversal vulnerability in CrosDisks in 2014-03-16 7.5 CVE-2014-1707 Google Chrome OS before 33.0.1750.152 has unspecified impact and attack vectors. google -- chrome_os The boot implementation in Google Chrome OS 2014-03-16 10.0 CVE-2014-1708 before 33.0.1750.152 does not properly consider file persistence, which allows remote attackers to execute arbitrary code via unspecified vectors. google -- chrome_os The AsyncPixelTransfersCompletedQuery::End 2014-03-16 7.5 CVE-2014-1710 function in gpu/command_buffer/service/query_manager.c c in Google Chrome, as used in Google Chrome OS before 33.0.1750.152, does not check whether a certain position is within the bounds of a shared-memory segment, which allows remote attackers to cause a denial of service (GPU command-buffer memory corruption) or possibly have unspecified other impact via unknown vectors. google -- chrome_os The GPU driver in the kernel in Google Chrome 2014-03-16 7.5 CVE-2014-1711 OS before 33.0.1750.152 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.

Medium Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity abeel -- SQL injection vulnerability in edit_event.php in 2014-03-11 6.5 CVE-2013-3961 simple_php_agend Simple PHP Agenda before 2.2.9 allows remote a authenticated users to execute arbitrary SQL commands via the eventid parameter. adobe -- Adobe Flash Player before 11.7.700.272 and 11.8.x 2014-03-12 6.4 CVE-2014-0503 flash_player through 12.0.x before 12.0.0.77 on Windows and OS X, and before 11.2.202.346 on Linux, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. adobe -- Adobe Flash Player before 11.7.700.272 and 11.8.x 2014-03-12 5.0 CVE-2014-0504 flash_player through 12.0.x before 12.0.0.77 on Windows and OS X, and before 11.2.202.346 on Linux, allows attackers to read the clipboard via unspecified vectors. aker -- Cross-site scripting (XSS) vulnerability in index.php 2014-03-11 4.3 CVE-2013-6037 secure_mail_gatew in Aker Secure Mail Gateway 2.5.2 and earlier allows ay remote attackers to inject arbitrary web script or HTML via the msg_id parameter. apache -- The dav_xml_get_cdata function in main/util.c in 2014-03-18 5.0 CVE-2013-6438 http_server the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request. apache -- struts The ParametersInterceptor in Apache Struts before 2014-03-11 5.0 CVE-2014-0094 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. apache -- The log_cookie function in mod_log_config.c in the 2014-03-18 5.0 CVE-2014-0098 http_server mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. apple -- iphone_os TelephonyUI Framework in Apple iOS 7 before 7.1, 2014-03-14 5.0 CVE-2013-6835 when Safari is used, does not require user confirmation for FaceTime audio calls, which allows remote attackers to obtain telephone number or e- mail address information via a facetime-audio: URL. apple -- apple_tv The Configuration Profiles component in Apple iOS 2014-03-14 5.8 CVE-2014-1267 before 7.1 and Apple TV before 6.1 does not properly evaluate the expiration date of a mobile configuration profile, which allows attackers to bypass intended access restrictions by using a profile after the date has passed. apple -- apple_tv CrashHouseKeeping in Crash Reporting in Apple iOS 2014-03-14 6.3 CVE-2014-1272 before 7.1 and Apple TV before 6.1 allows local users to change arbitrary file permissions by leveraging a symlink. apple -- apple_tv dyld in Apple iOS before 7.1 and Apple TV before 2014-03-14 5.8 CVE-2014-1273 6.1 allows attackers to bypass code-signing requirements by leveraging use of text-relocation instructions in a dynamic library. apple -- apple_tv Buffer overflow in ImageIO in Apple iOS before 7.1 2014-03-14 6.8 CVE-2014-1275 and Apple TV before 6.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JPEG2000 data in a PDF document. apple -- iphone_os IOKit HID Event in Apple iOS before 7.1 allows 2014-03-14 5.0 CVE-2014-1276 attackers to conduct user-action monitoring attacks against arbitrary apps via a crafted app that accesses an IOKit framework interface. apple -- apple_tv The Profiles component in Apple iOS before 7.1 and 2014-03-14 5.8 CVE-2014-1282 Apple TV before 6.1 allows attackers to bypass intended configuration-profile visibility requirements via a long name. apple -- iphone_os Springboard in Apple iOS before 7.1 allows 2014-03-14 5.8 CVE-2014-1285 physically proximate attackers to bypass intended access restrictions and read the home screen by leveraging an application crash during activation of an unactivated device. apple -- iphone_os SpringBoard Lock Screen in Apple iOS before 7.1 2014-03-14 5.0 CVE-2014-1286 allows remote attackers to cause a denial of service (lock-screen hang) by leveraging a state- management error. apple -- apple_tv WebKit, as used in Apple iOS before 7.1 and Apple 2014-03-14 6.8 CVE-2014-1289 TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294. apple -- apple_tv WebKit, as used in Apple iOS before 7.1 and Apple 2014-03-14 6.8 CVE-2014-1290 TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294. apple -- apple_tv WebKit, as used in Apple iOS before 7.1 and Apple 2014-03-14 6.8 CVE-2014-1291 TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294. apple -- apple_tv WebKit, as used in Apple iOS before 7.1 and Apple 2014-03-14 6.8 CVE-2014-1292 TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1293, and CVE-2014-1294. apple -- apple_tv WebKit, as used in Apple iOS before 7.1 and Apple 2014-03-14 6.8 CVE-2014-1293 TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1294. apple -- apple_tv WebKit, as used in Apple iOS before 7.1 and Apple 2014-03-14 6.8 CVE-2014-1294 TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1293. atlassian -- jira Directory traversal vulnerability in the Importers 2014-03-09 4.3 CVE-2014-2313 plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors. atlassian -- jira Directory traversal vulnerability in the Issue 2014-03-09 4.3 CVE-2014-2314 Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors. batavi -- batavi Cross-site scripting (XSS) vulnerability in 2014-03-11 4.3 CVE-2013-2289 admin/templates/default.php in Batavi 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to admin/index.php. blair_williams -- Cross-site scripting (XSS) vulnerability in open- 2014-03-12 4.3 CVE-2013-1636 pretty_link_lite flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter. brother -- mfc- Multiple cross-site scripting (XSS) vulnerabilities in 2014-03-14 4.3 CVE-2013-2507 9970cdw the Brother MFC-9970CDW printer with firmware G (1.03) allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/log_to_net.html or (2) kind parameter to fax/copy_settings.html, a different vulnerability than CVE-2013-2670 and CVE-2013-2671. brother -- mfc- Cross-site scripting (XSS) vulnerability in the 2014-03-14 4.3 CVE-2013-2670 9970cdw Brother MFC-9970CDW printer with firmware G (1.03) and L (1.10) allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter name (QUERY_STRING) to admin/admin_main.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2671. brother -- mfc- Multiple cross-site scripting (XSS) vulnerabilities in 2014-03-14 4.3 CVE-2013-2671 9970cdw the Brother MFC-9970CDW printer with firmware L (1.10) allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) val parameter to admin/admin_main.html; (3) id, (4) val, or (5) arbitrary parameter name (QUERY_STRING) to admin/profile_settings_net.html; or (6) kind or (7) arbitrary parameter name (QUERY_STRING) to fax/general_setup.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2670. christos_zoulas -- softmagic.c in file before 5.17 and libmagic allows 2014-03-14 4.3 CVE-2014-2270 file context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable. cisco -- cloud_portal Intelligent Automation for Cloud (IAC) in Cisco 2014-03-14 5.0 CVE-2014-0694 Cloud Portal 9.4.1 and earlier includes a cryptographic key in binary files, which makes it easier for remote attackers to obtain cleartext data from an arbitrary IAC installation by leveraging knowledge of this key, aka Bug IDs CSCui34764, CSCui34772, CSCui34776, CSCui34798, CSCui34800, CSCui34805, CSCui34809, CSCui34810, CSCui34813, CSCui34814, and CSCui34818. citrix -- Unspecified vulnerability in the Service VM in Citrix 2014-03-11 5.0 CVE-2013-6938 netscaler_applicatio NetScaler SDX 9.3 before 9.3-64.4 and 10.0 before n_delivery_controll 10.0-77.5 and Application Delivery Controller (ADC) er_firmware 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows attackers to cause a denial of service via unknown vectors, related to the "Virtual Machine Daemon." citrix -- Unspecified vulnerability in Citrix NetScaler 2014-03-11 5.0 CVE-2013-6939 netscaler_applicatio Application Delivery Controller (ADC) 9.3.x before n_delivery_controll 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before er_firmware 10.1-118.7 allows attackers to cause a denial of service via unknown vectors, related to "RADIUS authentication." citrix -- Citrix NetScaler Application Delivery Controller 2014-03-11 5.0 CVE-2013-6940 netscaler_applicatio (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, n_delivery_controll and 10.1 before 10.1-118.7 logs user credentials, er_firmware which allows attackers to obtain sensitive information via unspecified vectors. citrix -- Cross-site request forgery (CSRF) vulnerability in 2014-03-11 6.8 CVE-2013-6942 netscaler_applicatio Citrix NetScaler Application Delivery Controller n_delivery_controll (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, er_firmware and 10.1 before 10.1-118.7 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. citrix -- Citrix NetScaler Application Delivery Controller 2014-03-11 5.0 CVE-2013-6943 netscaler_applicatio (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, n_delivery_controll and 10.1 before 10.1-118.7 allows remote attackers er_firmware to conduct an LDAP injection attack via vectors related to SSH and Web management usernames. citrix -- Cross-site scripting (XSS) vulnerability in the user 2014-03-11 4.3 CVE-2013-6944 netscaler_applicatio interface in the AAA TM vServer in Citrix NetScaler n_delivery_controll Application Delivery Controller (ADC) 9.3.x before er_firmware 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. dokeos_project -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-03-13 4.3 CVE-2014-1877 dokeos Dokeos 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Phone, (2) Street, (3) Address line, (4) Zip code, or (5) City field to main/auth/profile.php; (6) Subject field to main/social/groups.php; or (7) Message body field to main/messages/view_message.php. dotnetnuke -- Cross-site scripting (XSS) vulnerability in 2014-03-12 4.3 CVE-2013-4649 dotnetnuke DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI. dotnetnuke -- Open redirect vulnerability in DotNetNuke (DNN) 2014-03-12 4.3 CVE-2013-7335 dotnetnuke before 6.2.9 and 7.x before 7.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. eng -- spagobi Cross-site scripting (XSS) vulnerability in SpagoBI 2014-03-09 4.3 CVE-2013-6233 before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata." freedesktop -- Stack-based buffer overflow in udisks before 1.0.5 2014-03-11 6.9 CVE-2014-0004 udisks and 2.x before 2.1.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long mount point. fruux -- sabredav The HTML\Browser plugin in SabreDAV before 1.6.9, 2014-03-14 5.0 CVE-2013-1939 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character. google -- chrome The GenerateFunction function in 2014-03-16 4.3 CVE-2014-1701 bindings/scripts/code_generator_v8.pm in Blink, as used in Google Chrome before 33.0.1750.149, does not implement a certain cross-origin restriction for the EventTarget::dispatchEvent function, which allows remote attackers to conduct Universal XSS (UXSS) attacks via vectors involving events. hp -- Unspecified vulnerability in HP System 2014-03-14 5.0 CVE-2013-4846 system_manageme Management Homepage (SMH) before 7.3 allows nt_homepage remote attackers to obtain sensitive information via unknown vectors. hp -- Cross-site request forgery (CSRF) vulnerability in HP 2014-03-14 6.8 CVE-2013-6188 system_manageme System Management Homepage (SMH) 7.1 through nt_homepage 7.2.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. hp -- hp-ux Unspecified vulnerability in m4 in HP HP-UX B.11.23 2014-03-11 6.2 CVE-2013-6200 and B.11.31 allows local users to obtain sensitive information or modify data via unknown vectors. hp -- Unspecified vulnerability in HP Rapid Deployment 2014-03-14 4.1 CVE-2013-6205 insight_control_ser Pack (RDP) and Insight Control Server Deployment ver_deployment allows local users to obtain sensitive information, modify data, or cause a denial of service via unknown vectors. hp -- hp-ux Unspecified vulnerability in rpc.lockd in the NFS 2014-03-14 4.3 CVE-2013-6209 subsystem in HP HP-UX B.11.11 and B.11.23 allows remote attackers to cause a denial of service via unknown vectors. huawei -- e355 The Huawei E355 adapter with firmware 2014-03-11 4.3 CVE-2013-6031 21.157.37.01.910 does not require authentication for API pages, which allows remote attackers to change passwords and settings, or obtain sensitive information, via a direct request to (1) api/wlan/security-settings, (2) api/device/information, (3) api/wlan/basic-settings, (4) api/wlan/mac-filter, (5) api/monitoring/status, or (6) api/dhcp/settings. ibm -- Cross-site request forgery (CSRF) vulnerability in the 2014-03-16 6.8 CVE-2013-4057 infosphere_informa XML Pack in IBM InfoSphere Information Server tion_server 8.5.x through 8.5 FP3, 8.7.x through 8.7 FP2, and 9.1.x through 9.1.2.0 allows remote attackers to hijack the authentication of arbitrary users. ibm -- Multiple SQL injection vulnerabilities in IBM 2014-03-16 6.5 CVE-2013-4058 infosphere_informa InfoSphere Information Server 8.x through 8.5 FP3, tion_server 8.7.x through 8.7 FP2, and 9.1.x through 9.1.2.0 allow remote authenticated users to execute arbitrary SQL commands via unspecified interfaces. ibm -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-03-16 4.3 CVE-2013-4059 infosphere_informa IBM InfoSphere Information Server 8.x through 8.5 tion_server FP3, 8.7.x through 8.7 FP2, and 9.1.x through 9.1.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified interfaces. ibm -- Multiple cross-site request forgery (CSRF) 2014-03-16 6.8 CVE-2014-0873 infosphere_master_ vulnerabilities in the (1) Data Stewardship, (2) data_management_ Business Admin, and (3) Product interfaces in IBM server InfoSphere Master Data Management (MDM) Server 8.5 before 8.5.0.82, 9.0.1 before 9.0.1.38, 9.0.2 before 9.0.2.35, 10.0 before 10.0.0.0.26, and 10.1 before 10.1.0.0.15 allow remote attackers to hijack the authentication of arbitrary users. ibm -- aix ftpd in IBM AIX 7.1.1 before SP10 and 7.1.2 before 2014-03-11 6.5 CVE-2014-0899 SP5, when a Workload Partition (aka WPAR) for AIX 5.2 or 5.3 is used, allows remote authenticated users to bypass intended permission settings and modify arbitrary files via FTP commands. ilch -- ilch_cms Cross-site scripting (XSS) vulnerability in Ilch CMS 2014-03-09 4.3 CVE-2014-1944 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the text parameter to index.php/guestbook/index/newentry. Low Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity apple -- iphone_os FaceTime in Apple iOS before 7.1 allows physically 2014-03-14 2.1 CVE-2014-1274 proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call. apple -- apple_tv Apple TV before 6.1 does not properly restrict 2014-03-14 2.1 CVE-2014-1279 logging, which allows local users to obtain sensitive information by reading log data. apple -- iphone_os Photos Backend in Apple iOS before 7.1 does not 2014-03-14 1.9 CVE-2014-1281 properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the Photos app and looking under a transparent image. dotnetnuke -- Cross-site scripting (XSS) vulnerability in 2014-03-12 3.5 CVE-2013-3943 dotnetnuke DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the Display Name field in the Manage Profile. eng -- spagobi Cross-site scripting (XSS) vulnerability in SpagoBI 2014-03-09 3.5 CVE-2013-6232 before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via a document note in the execution page. ibm -- Cross-site scripting (XSS) vulnerability in IBM 2014-03-16 3.5 CVE-2014-0850 infosphere_master InfoSphere Master Data Management Reference _data_managemen Data Management (RDM) Hub 10.1 and 11.0 before t_reference_data_ 11.0.0.0-MDM-IF008 allows remote authenticated management_hub users to inject arbitrary web script or HTML via a crafted URL. juniper -- ive_os Cross-site scripting (XSS) vulnerability in the Pulse 2014-03-14 3.5 CVE-2014-2291 Collaboration (Secure Meeting) user pages in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS before 7.1r18, 7.3 before 7.3r10, 7.4 before 7.4r8, and 8.0 before 8.0r1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. kasseler-cms -- Cross-site scripting (XSS) vulnerability in Kasseler 2014-03-13 3.5 CVE-2013-3728 kasseler-cms CMS before 2 r1232 allows remote authenticated users with permissions to create categories to inject arbitrary web script or HTML via the cat parameter in an admin_new_category action to admin.php. libssh -- libssh The RAND_bytes function in libssh before 0.6.3, 2014-03-14 1.9 CVE-2014-0017 when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision. owncloud -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-03-14 3.5 CVE-2013-0297 owncloud ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php. owncloud -- Cross-site scripting (XSS) vulnerability in 2014-03-14 3.5 CVE-2013-0307 owncloud settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter. owncloud -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-03-14 3.5 CVE-2013-1822 owncloud ownCloud 4.5.x before 4.5.8 allow remote authenticated users with administrator privileges to inject arbitrary web script or HTML via the (1) quota parameter to /core/settings/ajax/setquota.php, or remote authenticated users with group admin privileges to inject arbitrary web script or HTML via the (2) group field to settings.php or (3) "share with" field. owncloud -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-03-14 3.5 CVE-2013-2040 owncloud ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

• Sources: http://nvd.nist.gov (For more information visit the National Vulnerabilities Database (NVD) which contains a database of every vulnerability that has ever been published).

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT