Vulnerability Summary for the Week of May 5, 2014

Please Note:

• The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low.

• The CVE indentity number is the publicly known ID given to that particular vulnerability. Therefore you can search the status of that particular vulnerability using that ID.

• The CVSS (Common Vulnerability Scoring System) score is a standard scoring system used to determine the severity of the vulnerability.

High Severity Vulnerabilities The Primary Vendor --- Description Date CVSS The CVE Product Published Score Identity acunetix -- Stack-based buffer overflow in Acunetix Web 2014-04-27 10.0 CVE-2014-2994 web_vulnerability_scanne Vulnerability Scanner (WVS) 8 build 20120704 r allows remote attackers to execute arbitrary code via an HTML file containing an IMG element with a long URL (src attribute). adobe -- flash_player Buffer overflow in Adobe Flash Player before 2014-04-29 10.0 CVE-2014-0515 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014. apache -- struts ParametersInterceptor in Apache Struts before 2014-04-29 7.5 CVE-2014-0112 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. apache -- struts CookieInterceptor in Apache Struts before 2014-04-29 7.5 CVE-2014-0113 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. apache -- struts The ActionForm object in Apache Struts 1.x 2014-04-30 7.5 CVE-2014-0114 through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method. cisco -- Cisco TelePresence System MXP Series Software 2014-05-02 7.1 CVE-2014-2156 telepresence_system_soft before F9.3.1 allows remote attackers to cause a ware denial of service (device reload) via crafted SIP packets, aka Bug ID CSCty45739. cisco -- Cisco TelePresence System MXP Series Software 2014-05-02 7.1 CVE-2014-2157 telepresence_system_soft before F9.3.1 allows remote attackers to cause a ware denial of service (device reload) via crafted SIP packets, aka Bug ID CSCty45733. cisco -- Cisco TelePresence System MXP Series Software 2014-05-02 7.8 CVE-2014-2158 telepresence_system_soft before F9.3.1 allows remote attackers to cause a ware denial of service (device reload) via crafted SIP packets, aka Bug ID CSCty45720. cisco -- The H.225 subsystem in Cisco TelePresence 2014-05-02 7.8 CVE-2014-2159 telepresence_system_soft System MXP Series Software before F9.3.1 allows ware remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCtq78722. cisco -- The H.225 subsystem in Cisco TelePresence 2014-05-02 7.8 CVE-2014-2160 telepresence_system_soft System MXP Series Software before F9.3.1 allows ware remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCty45745. cisco -- The H.225 subsystem in Cisco TelePresence 2014-05-02 7.8 CVE-2014-2161 telepresence_system_soft System MXP Series Software before F9.3.1 allows ware remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCty45731. cisco -- The SIP implementation in Cisco TelePresence TC 2014-05-02 7.8 CVE-2014-2162 telepresence_tc_software Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCud29566. cisco -- The SIP implementation in Cisco TelePresence TC 2014-05-02 7.8 CVE-2014-2163 telepresence_tc_software Software 4.x and 5.x and TE Software 4.x allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCua64961. cisco -- The SIP implementation in Cisco TelePresence TC 2014-05-02 7.8 CVE-2014-2164 telepresence_tc_software Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCuj94651. cisco -- The SIP implementation in Cisco TelePresence TC 2014-05-02 7.8 CVE-2014-2165 telepresence_tc_software Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCtq72699. cisco -- The SIP implementation in Cisco TelePresence TC 2014-05-02 7.8 CVE-2014-2166 telepresence_tc_software Software 4.x and TE Software 4.x allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCto70562. cisco -- The SIP implementation in Cisco TelePresence TC 2014-05-02 7.8 CVE-2014-2167 telepresence_tc_software Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCua86589. cisco -- Buffer overflow in Cisco TelePresence TC 2014-05-02 7.6 CVE-2014-2168 telepresence_tc_software Software 4.x and 5.x and TE Software 4.x and 6.0 allows remote attackers to execute arbitrary code via crafted DNS response packets, aka Bug ID CSCty44804. cisco -- Cisco TelePresence TC Software 4.x through 6.x 2014-05-02 9.0 CVE-2014-2169 telepresence_tc_software before 6.2.0 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to internal system scripts, aka Bug ID CSCue60211. cisco -- Cisco TelePresence TC Software 4.x and 5.x 2014-05-02 9.0 CVE-2014-2170 telepresence_tc_software before 5.1.7 and 6.x before 6.0.1 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to tshell (aka tcsh) scripts, aka Bug ID CSCue60202. cisco -- Heap-based buffer overflow in Cisco 2014-05-02 10.0 CVE-2014-2171 telepresence_tc_software TelePresence TC Software 4.x through 6.x before 6.0.1 and TE Software 4.x and 6.0.x before 6.0.2 allows remote attackers to execute arbitrary code via crafted SIP packets, aka Bug ID CSCud81796. cisco -- Cisco TelePresence TC Software 4.x and 5.x and 2014-05-02 7.2 CVE-2014-2173 telepresence_tc_software TE Software 4.x and 6.0 do not properly restrict access to the serial port, which allows local users to gain privileges via unspecified commands, aka Bug ID CSCub67692. cisco -- Cisco TelePresence TC Software 4.x and 5.x and 2014-05-02 7.8 CVE-2014-2175 telepresence_tc_software TE Software 4.x and 6.0 allow remote attackers to cause a denial of service (memory consumption) via crafted H.225 packets, aka Bug ID CSCtq78849. citrix -- Unspecified vulnerability in the Diffie-Hellman 2014-05-01 7.5 CVE-2014-2881 netscaler_access_gateway key agreement implementation in the _firmware management GUI Java applet in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 9.3-66.5 and 10.x before 10.1-122.17 has unknown impact and vectors. citrix -- Unspecified vulnerability in the management 2014-05-01 7.5 CVE-2014-2882 netscaler_access_gateway GUI in Citrix NetScaler Application Delivery _firmware Controller (ADC) and NetScaler Gateway before 9.3-66.5 and 10.x before 10.1-122.17 has unspecified impact and vectors, related to certificate validation. debian -- dpkg Directory traversal vulnerability in the unpacking 2014-04-30 9.3 CVE-2014-0471 functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting." fortinet -- FortiGuard FortiAuthenticator before 3.0 allows 2014-04-30 9.0 CVE-2013-6990 fortiauthenticator remote administrators to gain privileges via the command line interface. fortinet -- fortiweb CRLF injection vulnerability in FortiGuard 2014-04-30 7.5 CVE-2014-1956 FortiWeb before 5.0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. google -- android Android before 4.4 does not properly arrange for 2014-04-29 7.5 CVE-2013-7373 seeding of the OpenSSL PRNG, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging use of the PRNG within multiple applications. google -- chrome Google V8, as used in Google Chrome before 2014-04-26 7.8 CVE-2014-1730 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly store internationalization metadata, which allows remote attackers to bypass intended access restrictions by leveraging "type confusion" and reading property values, related to i18n.js and runtime.cc. google -- chrome core/html/HTMLSelectElement.cpp in the DOM 2014-04-26 7.5 CVE-2014-1731 implementation in Blink, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly check renderer state upon a focus event, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion" for SELECT elements. google -- chrome Use-after-free vulnerability in 2014-04-26 7.5 CVE-2014-1732 browser/ui/views/speech_recognition_bubble_v iews.cc in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact via an INPUT element that triggers the presence of a Speech Recognition Bubble window for an incorrect duration. google -- chrome The PointerCompare function in codegen.cc in 2014-04-26 7.5 CVE-2014-1733 Seccomp-BPF, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly merge blocks, which might allow remote attackers to bypass intended sandbox restrictions by leveraging renderer access. google -- chrome Multiple unspecified vulnerabilities in Google 2014-04-26 7.5 CVE-2014-1734 Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux allow attackers to cause a denial of service or possibly have other impact via unknown vectors. google -- chrome Multiple unspecified vulnerabilities in Google V8 2014-04-26 7.5 CVE-2014-1735 before 3.24.35.33, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. igor_sysoev -- nginx The SPDY implementation in the 2014-04-29 7.5 CVE-2014-0088 ngx_http_spdy_module module in nginx 1.5.10 before 1.5.11, when running on a 32-bit platform, allows remote attackers to execute arbitrary code via a crafted request. livetecs -- timeline Livetecs Timelive before 6.2.8 does not properly 2014-04-28 7.5 CVE-2014-1217 restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and credentials via unspecified vectors. livetecs -- timeline Unrestricted file upload vulnerability in the 2014-04-28 7.5 CVE-2014-2042 Manage Project functionality in Livetecs Timelive before 6.5.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in a predictable directory in Uploads/. microsoft -- Unspecified vulnerability in Microsoft Internet 2014-04-27 7.5 CVE-2014-1762 internet_explorer Explorer 11 allows remote attackers to execute arbitrary code with medium-integrity privileges and bypass a sandbox protection mechanism via unknown vectors, as demonstrated by ZDI during a Pwn4Fun competition at CanSecWest 2014. microsoft -- Use-after-free vulnerability in Microsoft Internet 2014-04-27 10.0 CVE-2014-1763 internet_explorer Explorer 11 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. microsoft -- Microsoft Internet Explorer 11 allows remote 2014-04-27 10.0 CVE-2014-1764 internet_explorer attackers to execute arbitrary code and bypass a sandbox protection mechanism by leveraging "object confusion" in a broker process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014. microsoft -- Multiple use-after-free vulnerabilities in 2014-04-27 10.0 CVE-2014-1765 internet_explorer Microsoft Internet Explorer 11 allow remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Sebastian Apelt and Andreas Schmidt during a Pwn2Own competition at CanSecWest 2014. microsoft -- windows_8.1 Unspecified vulnerability in the kernel in 2014-04-27 7.2 CVE-2014-1766 Microsoft Windows 8.1 allows local users to gain privileges via unknown vectors, as demonstrated by Sebastian Apelt and Andreas Schmidt during a Pwn2Own competition at CanSecWest 2014. microsoft -- Use-after-free vulnerability in VGX.DLL in 2014-04-27 10.0 CVE-2014-1776 internet_explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in April 2014. mozilla -- firefox Multiple unspecified vulnerabilities in the 2014-04-30 10.0 CVE-2014-1518 browser engine in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. mozilla -- firefox Multiple unspecified vulnerabilities in the 2014-04-30 10.0 CVE-2014-1519 browser engine in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. mozilla -- firefox The 2014-04-30 10.0 CVE-2014-1522 mozilla::dom::OscillatorNodeEngine::ComputeCu stom function in the Web Audio subsystem in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (out- of-bounds read, memory corruption, and application crash) via crafted content. mozilla -- firefox The nsXBLProtoImpl::InstallImplementation 2014-04-30 10.0 CVE-2014-1524 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 does not properly check whether objects are XBL objects, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted JavaScript code that accesses a non-XBL object as if it were an XBL object. mozilla -- firefox The mozilla::dom::TextTrack::AddCue function in 2014-04-30 9.3 CVE-2014-1525 Mozilla Firefox before 29.0 and SeaMonkey before 2.26 does not properly perform garbage collection for Text Track Manager variables, which allows remote attackers to execute arbitrary code or cause a denial of service (use- after-free and heap memory corruption) via a crafted VIDEO element in an HTML document. mozilla -- firefox The sse2_composite_src_x888_8888 function in 2014-04-30 10.0 CVE-2014-1528 Pixman, as used in Cairo in Mozilla Firefox 28.0 and SeaMonkey 2.25 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) by painting on a CANVAS element. mozilla -- firefox The Web Notification API in Mozilla Firefox 2014-04-30 9.3 CVE-2014-1529 before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted. mozilla -- firefox Use-after-free vulnerability in the 2014-04-30 10.0 CVE-2014-1531 nsGenericHTMLElement::GetWidthHeightForIma ge function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving an imgLoader object that is not properly handled during an image-resize operation. mozilla -- firefox Use-after-free vulnerability in the 2014-04-30 10.0 CVE-2014-1532 nsHostResolver::ConditionallyRefreshRecord function in libxul.so in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to host resolution. openstack -- neutron The openvswitch-agent process in OpenStack 2014-04-28 9.0 CVE-2014-0187 Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authenticated users to bypass security group restrictions via an invalid CIDR in a security group rule, which prevents further rules from being applied. papercut -- papercut_mf Unspecified vulnerability in the print release 2014-04-28 7.5 CVE-2014-2657 functionality in PaperCut MF 14.1 (Build 26983) has unknown impact and remote vectors, related to embedded MFPs. phusion -- juvia Juvia uses the same secret key for all 2014-04-29 7.5 CVE-2013-7134 installations, which allows remote attackers to have unspecified impact by leveraging the secret key in app/config/initializers/secret_token.rb, related to cookies. python -- pillow Python Image Library (PIL) 1.1.7 and earlier and 2014-04-27 10.0 CVE-2014-3007 Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py. simplemachines -- Simple Machines Forum (SMF) before 1.1.19 and 2014-04-29 7.5 CVE-2013-7235 simple_machines_forum 2.x before 2.0.6 allows remote attackers to impersonate arbitrary users via multiple space characters characters. simplemachines -- Simple Machines Forum (SMF) 2.0.6, 1.1.19, and 2014-04-29 7.5 CVE-2013-7236 simple_machines_forum earlier allows remote attackers to impersonate arbitrary users via a Unicode homoglyph character in a username. super_project -- super super.c in Super 3.30.0 does not check the return 2014-04-30 7.2 CVE-2014-0470 value of the setuid function when the -F flag is set, which allows local users to gain privileges via unspecified vectors, aka an RLIMIT_NPROC attack. unitrends -- Unitrends Enterprise Backup 7.3.0 allows remote 2014-04-28 10.0 CVE-2014-3008 enterprise_backup authenticated users to execute arbitrary commands via shell metacharacters in the comm parameter to recoveryconsole/bpl/snmpd.php. unitrends -- recoveryconsole/bpl/snmpd.php in Unitrends 2014-05-02 7.5 CVE-2014-3139 enterprise_backup Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string. wdc -- Directory traversal vulnerability in 2014-04-28 7.5 CVE-2014-2846 arkeia_virtual_appliance opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote attackers to read arbitrary files and execute arbitrary PHP code via a ..././ (dot dot dot slash dot slash) in the lang Cookie parameter, as demonstrated by a request to login/doLogin. xcloner -- xcloner Multiple cross-site request forgery (CSRF) 2014-04-25 7.6 CVE-2014-2579 vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrator password via the config task to index2.php or (2) when the enable_db_backup and sql_mem options are enabled, access the database backup functionality via the dbbackup_comp parameter in the generate action to index2.php. NOTE: vector 2 might be a duplicate of CVE-2014-2340, which is for the XCloner Wordpress plugin. NOTE: remote attackers can leverage CVE-2014- 2996 with vector 2 to execute arbitrary commands. xcloner -- xcloner XCloner Standalone 3.5 and earlier, when 2014-04-25 7.1 CVE-2014-2996 enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have the privileges to execute code. NOTE: this can be leveraged by remote attackers using CVE-2014-2579. Medium Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity apache -- harmony The engineNextBytes function in 2014-04-29 5.0 CVE-2013-7372 classlib/modules/security/src/main/java/common/o rg/apache/harmony/security/provider/crypto/SHA1 PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013. basespace_ruby_sd The put_call function in the API client 2014-04-29 5.0 CVE-2013-7111 k_project -- (api/api_client.rb) in the BaseSpace Ruby SDK (aka basespace_ruby_sd bio-basespace-sdk) gem 0.1.7 for Ruby uses the k API_KEY on the command line, which allows remote attackers to obtain sensitive information by listing the processes. birebin -- The Birebin.com application for Android does not 2014-04-25 6.4 CVE-2014-2993 birebin.com_app verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. bluecoat -- The commandline interface in Blue Coat Content 2014-04-30 6.5 CVE-2014-2565 content_analysis_sy Analysis System (CAS) 1.1 before 1.1.4.2 allows stem_software remote administrators to execute arbitrary commands via unspecified vectors, related to "command injection." canonical -- update- DistUpgrade/DistUpgradeFetcherCore.py in Update 2014-04-27 6.4 CVE-2011-3152 manager Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 on Ubuntu 8.04 through 11.10 does not verify the GPG signature before extracting an upgrade tarball, which allows man-in-the-middle attackers to (1) create or overwrite arbitrary files via a directory traversal attack using a crafted tar file, or (2) bypass authentication via a crafted meta-release file. canonical -- The Ubuntu Date and Time Indicator (aka indicator- 2014-05-01 4.6 CVE-2013-7374 ubuntu_linux datetime) 13.10.0+13.10.x before 13.10.0+13.10.20131023.2-0ubuntu1.1 does not properly restrict access to Evolution, which allows local users to bypass the greeter screen restrictions by clicking the date. cisco -- Buffer overflow in Cisco TelePresence TC Software 2014-05-02 6.6 CVE-2014-2172 telepresence_tc_sof 4.x and 5.x and TE Software 4.x and 6.0 allows local tware users to gain privileges by leveraging improper handling of the u-boot compiler flag for internal executable files, aka Bug ID CSCub67693. cisco -- The Document Management component in Cisco 2014-04-29 4.0 CVE-2014-2180 unified_contact_ce Unified Contact Center Express does not properly nter_enterprise validate a parameter, which allows remote authenticated users to upload files to arbitrary pathnames via a crafted HTTP request, aka Bug ID CSCun74133. cisco -- Cisco Adaptive Security Appliance (ASA) Software, 2014-04-29 6.1 CVE-2014-2182 adaptive_security_a when DHCPv6 replay is configured, allows remote ppliance_software attackers to cause a denial of service (device reload) via a crafted DHCPv6 packet, aka Bug ID CSCun45520. cisco -- The L2TP module in Cisco IOS XE 3.10S(.2) and 2014-04-29 6.3 CVE-2014-2183 asr_1001_router earlier on ASR 1000 routers allows remote authenticated users to cause a denial of service (ESP card reload) via a malformed L2TP packet, aka Bug ID CSCun09973. cisco -- The IP Manager Assistant (IPMA) component in 2014-04-29 5.0 CVE-2014-2184 unified_communica Cisco Unified Communications Manager (Unified tions_manager CM) allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCun74352. cisco -- The Call Detail Records (CDR) Management 2014-04-29 4.0 CVE-2014-2185 unified_communica component in Cisco Unified Communications tions_manager Manager (Unified CM) allows remote authenticated users to obtain sensitive information by reading extraneous fields in an HTML document, aka Bug ID CSCun74374. cisco -- Cross-site request forgery (CSRF) vulnerability in the 2014-04-30 6.8 CVE-2014-2186 webex_meetings_s web framework in Cisco WebEx Meetings Server erver allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj81777. coreftp -- core_ftp Core FTP Server 1.2 before build 515 allows remote 2014-05-01 4.3 CVE-2014-1441 attackers to cause a denial of service (reachable assertion and crash) via an AUTH SSL command with malformed data, as demonstrated by pressing the enter key twice. coreftp -- core_ftp Directory traversal vulnerability in Core FTP Server 2014-05-01 4.0 CVE-2014-1442 1.2 before build 515 allows remote authenticated users to determine the existence of arbitrary files via a /../ sequence in an XCRC command. coreftp -- core_ftp Core FTP Server 1.2 before build 515 allows remote 2014-05-01 4.0 CVE-2014-1443 authenticated users to obtain sensitive information (password for the previous user) via a USER command with a specific length, possibly related to an out-of-bounds read. cybozu -- garoon Cybozu Garoon 3.0 through 3.7 SP3 allows remote 2014-05-02 6.0 CVE-2014-1989 authenticated users to bypass intended access restrictions and delete schedule information via unspecified API calls. dompdf -- dompdf dompdf.php in dompdf before 0.6.1, when 2014-04-28 4.3 CVE-2014-2383 DOMPDF_ENABLE_PHP is enabled, allows context- dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter. ecava -- integraxor Ecava IntegraXor before 4.1.4393 allows remote 2014-04-30 5.0 CVE-2014-0786 attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role. emc -- The runtime WS component in the server in EMC 2014-05-01 6.9 CVE-2014-0646 rsa_access_manage RSA Access Manager 6.1.3 before 6.1.3.39, 6.1.4 r before 6.1.4.22, 6.2.0 before 6.2.0.11, and 6.2.1 before 6.2.1.03, when INFO logging is enabled, allows local users to discover cleartext passwords by reading log files. entity_reference_pr The Entity reference module 7.x-1.x before 7.x-1.1- 2014-04-29 4.3 CVE-2013-7066 oject -- rc1 for Drupal allows remote attackers to read entityreference private nodes titles by leveraging edit permissions to a node that references a private node. fortinet -- fortiweb Cross-site scripting (XSS) vulnerability in FortiGuard 2014-04-30 4.3 CVE-2014-1955 FortiWeb before 5.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. fortinet -- fortiweb FortiGuard FortiWeb before 5.0.3 allows remote 2014-04-30 6.5 CVE-2014-1957 authenticated users to gain privileges via unspecified vectors. gnome -- gnome- js/ui/screenShield.js in GNOME Shell (aka gnome- 2014-04-29 4.6 CVE-2013-7220 shell shell) before 3.8 allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation with the keyboard focus on the Activities search. gnome -- gnome- The automatic screen lock functionality in GNOME 2014-04-29 4.6 CVE-2013-7221 shell Shell (aka gnome-shell) before 3.10 does not prevent access to the "Enter a Command" dialog, which allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation. gnustep -- base Tools/gdomap.c in gdomap in GNUstep Base 1.24.6 2014-04-28 4.3 CVE-2014-2980 and earlier, when run in daemon mode, does not properly handle the file descriptor for the logger, which allows remote attackers to cause a denial of service (abort) via an invalid request. ibm -- IBM WebSphere Application Server (WAS) 8.x 2014-05-01 4.3 CVE-2014-0823 websphere_applicat before 8.0.0.9 and 8.5.x before 8.5.5.2 allows remote ion_server attackers to read arbitrary files via a crafted URL. ibm -- The Administrative Console in IBM WebSphere 2014-05-01 4.0 CVE-2014-0857 websphere_applicat Application Server (WAS) 8.x before 8.0.0.9 and ion_server 8.5.x before 8.5.5.2 allows remote authenticated users to obtain sensitive information via a crafted request. ibm -- The web-server plugin in IBM WebSphere 2014-05-01 5.0 CVE-2014-0859 websphere_applicat Application Server (WAS) 7.x before 7.0.0.33, 8.x ion_server before 8.0.0.9, and 8.5.x before 8.5.5.2, when POST retries are enabled, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. ibm -- IBM WebSphere Application Server (WAS) Liberty 2014-05-01 4.3 CVE-2014-0896 websphere_applicat Profile 8.5.x before 8.5.5.2 allows remote attackers ion_server to obtain sensitive information via a crafted request. igniterealtime -- The ServerTrustManager component in the Ignite 2014-04-30 5.8 CVE-2014-0363 smack Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. igniterealtime -- The ParseRoster component in the Ignite Realtime 2014-04-30 5.0 CVE-2014-0364 smack Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute. invitation_project -- The Invitation module 7.x-2.x for Drupal does not 2014-04-29 5.0 CVE-2013-7063 invitation properly check permissions, which allows remote attackers to obtain sensitive information via unspecified default views. joachim_noreiko -- Cross-site scripting (XSS) vulnerability in the admin 2014-04-27 4.3 CVE-2013-4336 flag_module page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag name. linux -- linux_kernel Off-by-one error in the bpf_jit_compile function in 2014-04-26 4.6 CVE-2014-2889 arch/x86/net/bpf_jit_comp.c in the Linux kernel before 3.1.8, when BPF JIT is enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges via a long jump after a conditional jump. litech -- Directory traversal vulnerability in device-linux.c in 2014-04-27 6.4 CVE-2011-3602 router_advertiseme the router advertisement daemon (radvd) before nt_daemon 1.8.2 allows local users to overwrite arbitrary files, and remote attackers to overwrite certain files, via a .. (dot dot) in an interface name. NOTE: this can be leveraged with a symlink to overwrite arbitrary files. litech -- The router advertisement daemon (radvd) before 2014-04-27 4.4 CVE-2011-3603 router_advertiseme 1.8.2 does not properly handle errors in the nt_daemon privsep_init function, which causes the radvd daemon to run as root and has an unspecified impact. malcolm_nooning -- The PlRPC module, possibly 0.2020 and earlier, for 2014-04-29 6.8 CVE-2013-7284 pirpc Perl uses the Storable module, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized. mediawiki -- Cross-site scripting (XSS) vulnerability in 2014-04-29 4.3 CVE-2014-2853 mediawiki includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action. misli -- The Misli.com application for Android does not 2014-04-25 6.4 CVE-2014-2992 misli.com_app verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mozilla -- firefox maintenservice_installer.exe in the Maintenance 2014-04-30 6.9 CVE-2014-1520 Service Installer in Mozilla Firefox before 29.0 and Firefox ESR 24.x before 24.5 on Windows allows local users to gain privileges by placing a Trojan horse DLL file into a temporary directory at an unspecified point in the update process. mozilla -- firefox Heap-based buffer overflow in the read_u32 2014-04-30 4.3 CVE-2014-1523 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG image. mozilla -- firefox The XrayWrapper implementation in Mozilla Firefox 2014-04-30 5.8 CVE-2014-1526 before 29.0 and SeaMonkey before 2.26 allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site that is visited in the debugger, leading to unwrapping operations and calls to DOM methods on the unwrapped objects. mozilla -- firefox Mozilla Firefox before 29.0 on Android allows 2014-04-30 5.0 CVE-2014-1527 remote attackers to spoof the address bar via crafted JavaScript code that uses DOM events to prevent the reemergence of the actual address bar after scrolling has taken it off of the screen. mozilla -- firefox The docshell implementation in Mozilla Firefox 2014-04-30 4.3 CVE-2014-1530 before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation. neo4j -- neo4j Multiple cross-site request forgery (CSRF) 2014-04-29 4.3 CVE-2013-7259 vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrated by a request to (1) db/data/ext/GremlinPlugin/graphdb/execute_scrip t or (2) db/manage/server/console/. net-snmp -- net- The perl_trapd_handler function in 2014-04-27 4.3 CVE-2014-2285 snmp perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows remote attackers to cause a denial of service (snmptrapd crash) via an empty community string in an SNMP trap, which triggers a NULL pointer dereference within the newSVpv function in Perl. openjpeg -- OpenJPEG 1.5.1 allows remote attackers to obtain 2014-04-27 5.0 CVE-2013-6053 openjpeg sensitive information via unspecified vectors that trigger a heap-based out-of-bounds read. openjpeg -- OpenJPEG 1.5.1 allows remote attackers to cause a 2014-04-27 6.4 CVE-2013-6887 openjpeg denial of service via unspecified vectors that trigger NULL pointer dereferences, division-by-zero, and other errors. openstack -- The Sheepdog backend in OpenStack Image 2014-04-27 6.0 CVE-2014-0162 icehouse Registry and Delivery Service (Glance) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modify an image to execute arbitrary commands via a crafted location. organic_groups_pr The Organic Groups (OG) module 7.x-2.x before 7.x- 2014-04-29 5.8 CVE-2013-7065 oject -- 2.3 for Drupal allows remote attackers to bypass organic_groups access restriction and post to arbitrary groups via a group audience field, as demonstrated by the og_group_ref field. organic_groups_pr The Organic Groups (OG) module 7.x-2.x before 7.x- 2014-04-29 4.9 CVE-2013-7068 oject -- 2.3 for Drupal allows remote authenticated users to organic_groups bypass group restrictions on nodes with all groups set to optional input via an empty group field. papercut -- Unspecified vulnerability in Papercut MF and NG 2014-04-28 5.0 CVE-2014-2658 papercut_mf before 14.1 (Build 26983) allows attacker to cause a denial of service via unknown vectors. php-fusion -- php- Multiple cross-site scripting (XSS) vulnerabilities in 2014-04-29 4.3 CVE-2013-1804 fusion PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) "__BBCODE__" parameter to administration/bbcodes.php; errorMessage parameter to (9) article_cats.php, (10) download_cats.php, (11) news_cats.php, or (12) weblink_cats.php in administration/, when error is 3; or (13) body or (14) body2 parameter to administration/articles.php. php-fusion -- php- Multiple directory traversal vulnerabilities in PHP- 2014-04-30 6.5 CVE-2013-1806 fusion Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php. php-fusion -- php- PHP-Fusion before 7.02.06 stores backup files with 2014-04-30 5.0 CVE-2013-1807 fusion predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/. pocoproject -- The Poco::Net::X509Certificate::verify method in the 2014-04-25 6.4 CVE-2014-0350 poco_c++_libraries NetSSL library in POCO C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL servers via crafted DNS PTR records that are requested during comparison of a server name to a wildcard domain name in an X.509 certificate. redhat -- Cumin (aka MRG Management Console), as used in 2014-04-30 5.0 CVE-2013-6445 enterprise_mrg Red Hat Enterprise MRG 2.5, uses the DES-based crypt function to hash passwords, which makes it easier for attackers to obtain sensitive information via a brute-force attack. sap -- The Java Server Pages in the Software Lifecycle 2014-04-30 5.0 CVE-2014-3129 netweaver_softwar Manager (SLM) in SAP NetWeaver allows remote e_lifecycle_manage attackers to obtain sensitive information via a r crafted request, related to SAP Solution Manager 7.1. sap -- The ABAP Help documentation and translation 2014-04-30 4.6 CVE-2014-3130 netweaver_abap_a tools (BC-DOC-HLP) in Basis in SAP Netweaver ABAP pplication_server Application Server does not properly restrict access, which allows local users to gain privileges and execute ABAP instructions via crafted help messages. sap -- SAP Profile Maintenance does not properly restrict 2014-04-30 4.0 CVE-2014-3131 profile_maintenanc access, which allows remote authenticated users to e obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1. sap -- SAP Background Processing does not properly 2014-04-30 4.0 CVE-2014-3132 background_proces restrict access, which allows remote authenticated sing users to obtain sensitive information via an unspecified RFC function, related to SAP Solution Manager 7.1. sap -- SAP Netweaver Java Application Server does not 2014-04-30 5.0 CVE-2014-3133 netweaver_java_ap properly restrict access, which allows remote plication_server attackers to obtain the list of SAP systems registered on an SLD via an unspecified webdynpro, related to SystemSelection. sap -- Cross-site scripting (XSS) vulnerability in the 2014-04-30 4.3 CVE-2014-3134 businessobjects InfoView application in SAP BusinessObjects allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. simplemachines -- Simple Machines Forum (SMF) before 1.1.19 and 2.x 2014-04-29 4.3 CVE-2013-7234 simple_machines_f before 2.0.6 allows remote attackers to conduct orum clickjacking attacks via an X-Frame-Options header. southrivertech -- Directory traversal vulnerability in the web interface 2014-04-29 5.0 CVE-2014-1841 titan_ftp_server in Titan FTP Server before 10.40 build 1829 allows remote attackers to copy an arbitrary user's home folder via a Move action with a .. (dot dot) in the src parameter. southrivertech -- Directory traversal vulnerability in the web interface 2014-04-29 5.0 CVE-2014-1842 titan_ftp_server in Titan FTP Server before 10.40 build 1829 allows remote attackers to list all usernames via a Go action with a .. (dot dot) in the search-bar value. southrivertech -- Directory traversal vulnerability in the web interface 2014-04-29 5.0 CVE-2014-1843 titan_ftp_server in Titan FTP Server before 10.40 build 1829 allows remote attackers to obtain the property information of an arbitrary home folder via a Properties action with a .. (dot dot) in the src parameter. tibco -- TIBCO Managed File Transfer Internet Server before 2014-04-30 5.0 CVE-2014-2545 managed_file_trans 7.2.2, Managed File Transfer Command Center fer_command_cent before 7.2.2, Slingshot before 1.9.1, and Vault er before 1.0.1 allow remote attackers to obtain sensitive information via a crafted HTTP request. transifex -- transifex Transifex command-line client before 0.9 does not 2014-05-01 4.3 CVE-2013-2073 validate X.509 certificates, which allows man-in- the-middle attackers to spoof a Transifex server via an arbitrary certificate. transifex -- transifex Transifex command-line client before 0.10 does not 2014-05-01 4.3 CVE-2013-7110 validate X.509 certificates for data transfer connections, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2073. ubercart -- ubercart Session fixation vulnerability in the Ubercart 2014-04-29 6.8 CVE-2013-7302 module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. vbulletin -- vbulletin Multiple cross-site scripting (XSS) vulnerabilities in 2014-04-30 4.3 CVE-2014-3135 vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment indicator to /help, or (4) the view parameter to a topic, as demonstrated by a request to forum/anunturi- importante/rst-power/67030-rst-admin-restore. videowhisper -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-04-28 4.3 CVE-2014-2715 videowhisper vwrooms\templates\logout.tpl.php in the VideoWhisper Webcam plugins for Drupal 7.x allow remote attackers to inject arbitrary web script or HTML via the (1) module or (2) message parameter to index.php. xen -- xen The vgic_distr_mmio_write function in the virtual 2014-04-28 5.5 CVE-2014-2986 guest interrupt controller (GIC) distributor (arch/arm/vgic.c) in Xen 4.4.x, when running on an ARM system, allows local guest users to cause a denial of service (NULL pointer dereference and host crash) via unspecified vectors. xerox -- docushare SQL injection vulnerability in Xerox DocuShare 2014-05-01 6.5 CVE-2014-3138 before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/. NOTE: some of these details are obtained from third party information. zarafa -- zarafa The ValidateUserLogon function in 2014-04-28 5.0 CVE-2014-0037 provider/libserver/ECSession.cpp in Zarafa 5.00 before 7.1.8 beta2 allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the username." zarafa -- zarafa The ValidateUserLogon function in 2014-04-28 5.0 CVE-2014-0079 provider/libserver/ECSession.cpp in Zarafa 7.1.8, 6.20.0, and earlier, when using certain build conditions, allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the password." zlib -- pigz Race condition in pigz before 2.2.5 uses permissions 2014-04-27 4.4 CVE-2013-0296 derived from the umask when compressing a file before setting that file's permissions to match those of the original file, which might allow local users to bypass intended access permissions while compression is occurring.

Low Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity ajenti -- ajenti Cross-site scripting (XSS) vulnerability in 2014-04-30 3.5 CVE-2014-2260 plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality. blender -- blender The undo save quit routine in the kernel in Blender 2014-04-27 3.3 CVE-2010-5105 2.5, 2.63a, and earlier allows local users to overwrite arbitrary files via a symlink attack on the quit.blend temporary file. NOTE: this issue might be a regression of CVE-2008-1103. cybozu -- garoon The Phone Messages feature in Cybozu Garoon 2.0.0 2014-05-02 3.5 CVE-2014-1988 through 3.7 SP2 allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors. dkorunic -- A certain Gentoo patch for the PAM S/Key module 2014-04-28 2.1 CVE-2013-4285 pam_s/key does not properly clear credentials from memory, which allows local users to obtain sensitive information by reading system memory. freelance-it- Cross-site scripting (XSS) vulnerability in the EU 2014-04-29 2.1 CVE-2013-7064 consultant -- Cookie Compliance module 7.x-1.x before 7.x-1.12 eu_cookie_complia for Drupal allows remote authenticated nce administrators with the "Administer EU Cookie Compliance popup" permission to inject arbitrary web script or HTML via unspecified configuration values. gnome -- GNOME Display Manager (gdm) 3.4.1 and earlier, 2014-04-29 2.1 CVE-2013-7273 gnome_display_ma when disable-user-list is set to true, allows local nager users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name. ibm -- Cross-site scripting (XSS) vulnerability in the 2014-05-01 3.5 CVE-2013-6323 websphere_applica Administration Console in IBM WebSphere tion_server Application Server (WAS) 7.x before 7.0.0.33, 8.x before 8.0.0.9, and 8.5.x before 8.5.5.2, and WebSphere Virtual Enterprise 7.x before 7.0.0.5, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. ibm -- Cross-site scripting (XSS) vulnerability in 2014-05-01 3.5 CVE-2014-0941 tivoli_netcool/omni webtop/eventviewer/eventViewer.jsp in the Web bus GUI in IBM Netcool/OMNIbus 7.4.0 before FP2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-0942. ibm -- Cross-site scripting (XSS) vulnerability in 2014-05-01 3.5 CVE-2014-0942 tivoli_netcool/omni webtop/eventviewer/eventViewer.jsp in the Web bus GUI in IBM Netcool/OMNIbus 7.4.0 before FP2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-0941. linux -- linux_kernel The Netlink implementation in the Linux kernel 2014-04-26 2.1 CVE-2014-0181 through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.

• Sources: http://nvd.nist.gov (For more information visit the National Vulnerabilities Database (NVD) which contains a database of every vulnerability that has ever been published). Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT