Vulnerability Summary for the Week of September 8, 2014

Please Note:

• The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low.

• The CVE indentity number is the publicly known ID given to that particular vulnerability. Therefore you can search the status of that particular vulnerability using that ID.

• The CVSS (Common Vulnerability Scoring System) score is a standard scoring system used to determine the severity of the vulnerability.

High Severity Vulnerabilities The Primary Vendor --- Description Date CVSS The CVE Product Published Score Identity address_visualization_wit SQL injection vulnerability in the Address 2014-09-11 7.5 CVE-2014-6239 BID (link is h_google_maps_project visualization with Google Maps external) -- (st_address_map) extension before 0.3.6 allows address_visualization_wit remote attackers to execute arbitrary SQL h_google_maps commands via unspecified vectors. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 10.0 CVE-2014-0547 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014- 0549, CVE-2014-0550, CVE-2014-0551, CVE- 2014-0552, and CVE-2014-0555. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 7.5 CVE-2014-0548 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow remote attackers to bypass the Same Origin Policy via unspecified vectors. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 10.0 CVE-2014-0549 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014- 0547, CVE-2014-0550, CVE-2014-0551, CVE- 2014-0552, and CVE-2014-0555. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 10.0 CVE-2014-0550 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014- 0547, CVE-2014-0549, CVE-2014-0551, CVE- 2014-0552, and CVE-2014-0555. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 10.0 CVE-2014-0551 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014- 0547, CVE-2014-0549, CVE-2014-0550, CVE- 2014-0552, and CVE-2014-0555. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 10.0 CVE-2014-0552 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014- 0547, CVE-2014-0549, CVE-2014-0550, CVE- 2014-0551, and CVE-2014-0555. adobe -- adobe_air Use-after-free vulnerability in Adobe Flash Player 2014-09-09 10.0 CVE-2014-0553 before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-10 10.0 CVE-2014-0554 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to bypass intended access restrictions via unspecified vectors. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 10.0 CVE-2014-0555 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014- 0547, CVE-2014-0549, CVE-2014-0550, CVE- 2014-0551, and CVE-2014-0552. adobe -- adobe_air Heap-based buffer overflow in Adobe Flash 2014-09-09 10.0 CVE-2014-0556 Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0559. adobe -- adobe_air Adobe Flash Player before 13.0.0.244 and 14.x 2014-09-09 10.0 CVE-2014-0557 and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors. adobe -- adobe_air Heap-based buffer overflow in Adobe Flash 2014-09-09 10.0 CVE-2014-0559 Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0556. apache -- tomcat Unrestricted file upload vulnerability in Apache 2014-09-11 7.5 CVE-2013-4444 BUGTRAQ Tomcat 7.x before 7.0.40, in certain situations (link is external) involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file. cisco -- Memory leak in Cisco TelePresence System Edge 2014-09-11 7.8 CVE-2014-3362 telepresence_system_soft MXP Series Software F9.3.3 and earlier allows ware remote attackers to cause a denial of service (management outage) via multiple TELNET connections, aka Bug ID CSCuo63677. cwt_frontend_edit_projec Unspecified vulnerability in the CWT Frontend 2014-09-11 7.5 CVE-2014-6231 XF (link is t -- cwt_frontend_edit Edit (cwt_feedit) extension before 1.2.5 for external) TYPO3 allows remote authenticated users to BID (link is execute arbitrary code via unknown vectors. external) SECUNIA (link is external) flat_manager_project -- SQL injection vulnerability in the Flat Manager 2014-09-11 7.5 CVE-2014-6233 XF (link is flat_manager (flatmgr) extension before 2.7.10 for TYPO3 external) allows remote attackers to execute arbitrary SQL BID (link is commands via unspecified vectors. external) SECUNIA (link is external) google -- chrome Use-after-free vulnerability in 2014-09-10 7.5 CVE-2014-3178 CONFIRM core/dom/Node.cpp in Blink, as used in Google CONFIRM (link Chrome before 37.0.2062.120, allows remote is external) attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of render-tree inconsistencies. google -- chrome Multiple unspecified vulnerabilities in Google 2014-09-10 7.5 CVE-2014-3179 CONFIRM (link Chrome before 37.0.2062.120 allow attackers to is external) cause a denial of service or possibly have other CONFIRM (link impact via unknown vectors. is external) CONFIRM (link is external) CONFIRM (link is external) hp -- Unspecified vulnerability in HP Network Node 2014-09-10 10.0 CVE-2014-2624 HP (link is network_node_manager_ Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows external) i remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-2264. ibm -- IBM Storwize 3500, 3700, 5000, and 7000 devices 2014-09-11 7.5 CVE-2014-4811 san_volume_controller_s and SAN Volume Controller 6.x and 7.x before XF (link is external) oftware 7.2.0.8 allow remote attackers to reset the administrator superuser password to its default value via a direct request to the administrative IP address. kennziffer -- ke_dompdf Unspecified vulnerability in the ke DomPDF 2014-09-11 7.5 CVE-2014-6235 XF (link is extension before 0.0.5 for TYPO3 allows remote external) attackers to execute arbitrary code via unknown BID (link is vectors. external) lumonet_php_include_pr Unspecified vulnerability in the LumoNet PHP 2014-09-11 7.5 CVE-2014-6236 XF (link is oject -- Include (lumophpinclude) extension before 1.2.1 external) lumonet_php_include for TYPO3 allows remote attackers to execute BID (link is arbitrary scripts via vectors related to extension external) SECUNIA (link links. is external) microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-2799 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4059, CVE-2014- 4065, CVE-2014-4079, CVE-2014-4081, CVE- 2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4059 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4065, CVE-2014-4079, CVE-2014-4081, CVE- 2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4065 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4079, CVE-2014-4081, CVE- 2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4079 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4081, CVE- 2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 10 and 11 allows 2014-09-09 9.3 CVE-2014-4080 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4089, CVE-2014- 4091, and CVE-2014-4102. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4081 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 10 allows 2014-09-09 9.3 CVE-2014-4082 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4083 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 10 allows remote 2014-09-09 9.3 CVE-2014-4084 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4093. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4085 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 8 allows 2014-09-09 9.3 CVE-2014-4086 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 11 allows remote 2014-09-09 9.3 CVE-2014-4087 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4095, CVE-2014- 4096, and CVE-2014-4101. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4088 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 10 and 11 allows 2014-09-09 9.3 CVE-2014-4089 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014- 4091, and CVE-2014-4102. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4090 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 10 and 11 allows 2014-09-09 9.3 CVE-2014-4091 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014- 4089, and CVE-2014-4102. microsoft -- Microsoft Internet Explorer 8 through 11 allows 2014-09-09 9.3 CVE-2014-4092 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4098. microsoft -- Microsoft Internet Explorer 10 allows remote 2014-09-09 9.3 CVE-2014-4093 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4084. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4094 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 11 allows remote 2014-09-09 9.3 CVE-2014-4095 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014- 4096, and CVE-2014-4101. microsoft -- Microsoft Internet Explorer 11 allows remote 2014-09-09 9.3 CVE-2014-4096 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014- 4095, and CVE-2014-4101. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4097 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 8 through 11 allows 2014-09-09 9.3 CVE-2014-4098 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4092. microsoft -- Microsoft Internet Explorer 9 through 11 allows 2014-09-09 9.3 CVE-2014-4099 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4100 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 11 allows remote 2014-09-09 9.3 CVE-2014-4101 internet_explorer attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4087, CVE-2014- 4095, and CVE-2014-4096. microsoft -- Microsoft Internet Explorer 10 and 11 allows 2014-09-09 9.3 CVE-2014-4102 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4080, CVE-2014- 4089, and CVE-2014-4091. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4103 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4104 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4105 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4106 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4107 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4108, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4108 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4109, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4109 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4110, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4110 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4111. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2014-09-09 9.3 CVE-2014-4111 internet_explorer remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014- 4059, CVE-2014-4065, CVE-2014-4079, CVE- 2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4109, and CVE-2014-4110. phpwiki -- phpwiki The Ploticus module in PhpWiki 1.5.0 allows 2014-09-11 7.5 CVE-2014-5519 EXPLOIT-DB remote attackers to execute arbitrary code via (link is external) shell metacharacters in a device option in the SECUNIA (link edit[content] parameter to index.php/HeIp. is external) MLIST NOTE: some of these details are obtained from MLIST third party information. FULLDISC MISC (link is external) OSVDB plogger -- plogger Unrestricted file upload vulnerability in plog- 2014-09-11 7.5 CVE-2014-2223 MISC (link is admin/plog-upload.php in Plogger 1.0 RC1 and external) earlier allows remote authenticated users to EXPLOIT-DB execute arbitrary code by uploading a ZIP file (link is external) MLIST that contains a PHP file and a non-zero length MLIST PNG file, then accessing the PHP file via a direct MISC (link is request to it in plog-content/uploads/archive/. external) procmail -- procmail Heap-based buffer overflow in formisc.c in 2014-09-08 7.5 CVE-2014-3618 XF (link is formail in procmail 3.22 allows remote attackers external) to cause a denial of service (crash) and possibly UBUNTU (link execute arbitrary code via a crafted email is external) BID (link is header, related to "unbalanced quotes." external) MLIST (link is external) DEBIAN sensysnetworks -- Sensys Networks VSN240-F and VSN240-T 2014-09-05 7.6 CVE-2014-2378 MISC trafficdot sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update. wt_directory_project -- SQL injection vulnerability in the wt_directory 2014-09-11 7.5 CVE-2014-6241 XF (link is wt_directory extension before 1.4.1 for TYPO3 allows remote external) attackers to execute arbitrary SQL commands via BID (link is unspecified vectors. external) SECUNIA (link is external) Medium Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity

1800contacts -- The 1800CONTACTS App (aka 2014-09-08 5.4 CVE-2014-5601 MISC (link is 1800contacts_app com.contacts1800.ecomapp) application 2.7.0 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

9gag -- 9gag_- The 9GAG - Funny pics and videos (aka 2014-09-08 5.4 CVE-2014-5669 MISC (link is _funny_pics_and_vi com.ninegag.android.app) application 2.4.10 for external) deos Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. aceviral -- The Angry Gran Toss (aka 2014-09-08 5.4 CVE-2014-5564 MISC (link is angry_gran_toss com.aceviral.angrygrantoss) application 1.1.1 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. adcolony -- The Adcolony library for Android does not verify 2014-09-08 5.4 CVE-2014-5524 CERT-VN adcolony_library X.509 certificates from SSL servers, which allows MISC (link is man-in-the-middle attackers to spoof servers and external) obtain sensitive information via a crafted certificate. adidas -- honolulu The Honolulu (aka 2014-09-08 5.4 CVE-2014-5532 MISC (link is adidas.jp.android.running.honolulu) application 2 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. adiscon -- Multiple cross-site scripting (XSS) vulnerabilities in 2014-09-11 4.3 CVE-2014-6070 XF (link is loganalyzer Adiscon LogAnalyzer before 3.6.6 allow remote external) attackers to inject arbitrary web script or HTML via EXPLOIT-DB the hostname in (1) index.php or (2) detail.php. (link is external) FULLDISC MISC (link is external) adt-taxis -- adt_taxis The ADT Taxis (aka com.icabbi.adttaxisApp) 2014-09-08 5.4 CVE-2014-5639 application 6 for Android does not verify X.509 MISC (link is external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. akronymmanager_p Cross-site scripting (XSS) vulnerability in the 2014-09-11 4.3 CVE-2014-6238 XF (link is roject -- Akronymmanager (aka SB Folderdownload) external) akronymmanager extension 0.5.0 and earlier for TYPO3 allows remote BID (link is attackers to inject arbitrary web script or HTML via external) unspecified vectors. al_3azmi -- The ce4arab market (aka 2014-09-08 5.4 CVE-2014-5610 MISC (link is ce4arab_market com.dreamstep.wce4arabmarket) application external) 0.12.13093.40460 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. americostech -- The Selfshot - Front Flash Camera (aka 2014-09-08 5.4 CVE-2014-5566 MISC (link is selfshot_front_flash com.americos.selfshot) application 1.1 for Android external) _camera does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. amiscu -- The Westmoreland Water FCU (aka 2014-09-08 5.4 CVE-2014-5538 CERT-VN westmoreland_wat air.com.creditunionhomebanking.mb115) MISC (link is er_fcu application 1.2.0 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. amiscu -- The Michael Baker FCU (aka 2014-09-08 5.4 CVE-2014-5539 MISC (link is michael_baker_fed air.com.creditunionhomebanking.mb155) external) eral_credit_union application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. androkera -- The Las Vegas Lottery Scratch Off (aka 2014-09-08 5.4 CVE-2014-5568 MISC (link is las_vegas_lottery_s com.androkera.lottery) application 1.2 for Android external) cratch_off does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. animoca -- star_girl The Star Girl (aka com.animoca.google.starGirl) 2014-09-08 5.4 CVE-2014-5569 MISC (link is application 3.4.1 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. animoca -- The Bunny Run (aka 2014-09-09 5.4 CVE-2014-5707 MISC (link is bunny_run com.stargirlgames.google.bunnyrun) application external) 1.1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. animoca -- The Fashion Style (aka 2014-09-09 5.4 CVE-2014-5717 MISC (link is fashion_style com.thirtysixyougames.google.starGirlSingapore) external) application 3.4.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. anywherepad -- The Anywhere Pad-Meet, Collaborate (aka 2014-09-08 5.4 CVE-2014-5579 MISC (link is anywhere_pad- com.azeus.anywherepad) application 4.0.1031 for external) meet,_collaborate Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. aol -- dailyfinance_- The DailyFinance - Stocks & News (aka 2014-09-08 5.4 CVE-2014-5570 MISC (link is _stocks_&_news com.aol.mobile.dailyFinance) application 2.0.2.1 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. app_maker_ks -- The Buy Books (aka com.wBooksForSale) 2014-09-09 5.4 CVE-2014-5734 MISC (link is buy_books application 0.1 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. appeak -- poker The Appeak Poker (aka com.appeak.poker) 2014-09-08 5.4 CVE-2014-5571 MISC (link is application 2.4.5 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. appministry -- The Princess Shopping (aka 2014-09-08 5.4 CVE-2014-5534 MISC (link is princess_shopping air.android.PrincessShopping) application 2 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. appsflyer -- The Appsflyer library for Android does not verify 2014-09-08 5.4 CVE-2014-5528 MISC (link is appsflyer X.509 certificates from SSL servers, which allows external) man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. appstros -- The Appstros - FREE Gift Cards! (aka 2014-09-08 5.4 CVE-2014-5573 MISC (link is appstros_- com.appstros.main) application 1.1.3 for Android external) _free_gift_cards! does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. arris -- The Arris Touchstone DG950A cable modem with 2014-09-05 5.0 CVE-2014-4863 CERT-VN touchstone_dg950a software 7.10.131 has an SNMP community of MISC (link is _software public, which allows remote attackers to obtain external) sensitive password, key, and SSID information via an SNMP request. ask.fm -- ask.fm- The Ask.fm - Social Q&A Network (aka com.askfm) 2014-09-08 5.4 CVE-2014-5574 CERT-VN social_q&a_networ application 1.2.4 for Android does not verify X.509 MISC (link is k certificates from SSL servers, which allows man-in- external) the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. avd-app -- The AVD Download Video (aka 2014-09-08 5.4 CVE-2014-5666 MISC (link is avd_download_vid com.myboyfriendisageek.videocatcher.demo) external) eo application 3.3.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. avira -- The Avira Secure Backup (aka 2014-09-08 5.4 CVE-2014-5576 MISC (link is avira_secure_backu com.avira.avirabackup) application 1.2.3 for external) p Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. avolvesoftware -- Cross-site scripting (XSS) vulnerability in Avolve 2014-09-11 4.3 CVE-2014-5129 XF (link is projectdox Software ProjectDox 8.1 allows remote attackers to external) inject arbitrary web script or HTML via unspecified BUGTRAQ vectors. (link is external) avon -- The AVON Buy & Sell (aka 2014-09-08 5.4 CVE-2014-5577 MISC (link is avon_buy&sell com.AVONBeautyntheRep) application 0.3 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. backgroundcheckpr The BackgroundCheckProTool (aka 2014-09-08 5.4 CVE-2014-5580 MISC (link is otool -- com.BackgroundCheckProTool) application 3.5 for external) backgroundcheckpr Android does not verify X.509 certificates from SSL otool servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. band -- band_- The BAND -Group sharing & planning (aka 2014-09-08 5.4 CVE-2014-5668 MISC (link is group_sharing_&_p com.nhn.android.band) application 3.2.8 for external) lanning Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. bashgaming -- The Bingo Bash - Free Bingo Casino (aka 2014-09-08 5.4 CVE-2014-5536 CERT-VN bingo_bash_free_bi air.com.bitrhymes.bingo) application 1.31.1 for CERT-VN ngo_casino Android does not verify X.509 certificates from SSL MISC (link is servers, which allows man-in-the-middle attackers external) to spoof servers and obtain sensitive information via a crafted certificate. beenverified -- The Background Check BeenVerified (aka 2014-09-08 5.4 CVE-2014-5584 MISC (link is background_check_ com.beenverified.android) application 4.01.67 for external) beenverified Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. biat -- biatnet The BIATNET (aka com.biatnet.mobile) application 2014-09-08 5.4 CVE-2014-5586 MISC (link is 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle external) attackers to spoof servers and obtain sensitive information via a crafted certificate. biggame -- The brokenscreencrank (aka 2014-09-08 5.4 CVE-2014-5587 MISC (link is brokenscreencrank com.biggame.brokenscreencrank) application 1.1 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. blackbeltstudio -- The Most Popular Ringtones (aka 2014-09-08 5.4 CVE-2014-5583 MISC (link is most_popular_ringt com.bbs.mostpopularringtones) application 32 for external) ones Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. bmfapps -- The Free eBooks (aka 2014-09-08 5.4 CVE-2014-5588 MISC (link is free_ebooks com.bmfapps.freekindlebooks) application 14 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. btwgames -- The Snake Evolution (aka com.btwgames.snake) 2014-09-08 5.4 CVE-2014-5590 MISC (link is snake_evolution application 1.3.1 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ca_lottery_results_ The CA Lottery Results (aka com.matcho0.calotto) 2014-09-08 5.4 CVE-2014-5657 MISC (link is project -- application 2.1 for Android does not verify X.509 external) ca_lottery_results certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. cacheguard -- Cross-site request forgery (CSRF) vulnerability in 2014-09-10 6.8 CVE-2014-4865 CERT-VN cacheguardos gui/password-wadmin.apl in CacheGuard OS 5.7.7 allows remote attackers to hijack the authentication of arbitrary users. casinogame -- The Video Poker Casino (aka 2014-09-08 5.4 CVE-2014-5631 MISC (link is video_poker_casino com.geaxgame.videopoker) application 1.0.5 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. chewysoftware -- The Abduction Stacker Free (aka 2014-09-08 5.4 CVE-2014-5537 MISC (link is abduction_stacker_ air.com.chewygames.abductionstacker2) external) free application 1.0.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. choiceoflove -- The Free Dating Heart COL (aka 2014-09-08 5.4 CVE-2014-5592 MISC (link is free_dating_heart_ com.choiceoflove.dating) application 2.6.1 for external) col Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. christiancafe -- The Christian Dating Cafe (aka 2014-09-08 5.4 CVE-2014-5593 MISC (link is christian_dating_ca com.christiancafe.mobile.android) application 1.0.3 external) fe for Android does not verify X.509 certificates from CERT-VN SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. cibc -- The CIBC Mobile Banking (aka 2014-09-08 5.4 CVE-2014-5594 MISC (link is cibc_mobile_bankin com.cibc.android.mobi) application 3.2 for Android external) g does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. cisco -- cli The CLI in Cisco IOS XR allows remote authenticated 2014-09-11 4.0 CVE-2014-3342 users to obtain sensitive information via unspecified commands, aka Bug IDs CSCuq42336, CSCuq76853, CSCuq76873, and CSCuq45383. cisco -- ios_xr Cisco IOS XR 5.1 allows remote attackers to cause a 2014-09-10 4.3 CVE-2014-3343 denial of service (DHCPv6 daemon crash) via a malformed DHCPv6 packet, aka Bug ID CSCuo59052. cisco -- The SSH module in the Integrated Management 2014-09-10 5.0 CVE-2014-3348 integrated_manage Controller (IMC) before 2.3.1 in Cisco Unified ment_controller Computing System on E-Series blade servers allows remote attackers to cause a denial of service (IMC hang) via a crafted SSH packet, aka Bug ID CSCuo69206. cmcm -- The CM Backup -Restore,Cloud,Photo (aka 2014-09-08 5.4 CVE-2014-5640 MISC (link is cm_backup_- com.ijinshan.kbackup) application 1.1.0.135 for external) restore,cloud,photo Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. cmcm -- The CM Browser - Fast & Secure (aka 2014-09-08 5.4 CVE-2014-5655 MISC (link is cm_browser_- com.ksmobile.cb) application 5.0.50 for Android external) _fast_&_secure does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. coles_credit_cards The Coles Credit Card App (aka 2014-09-08 5.4 CVE-2014-5562 MISC (link is -- au.com.colesfinancialservices.mobile) application external) coles_credit_card_a 1.0.0 for Android does not verify X.509 certificates pp from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. commerce -- The America's Economy for Phone (aka 2014-09-08 5.4 CVE-2014-5557 MISC (link is america's_economy air.gov.census.mobile.phone.americaseconomy) external) _for_phone application 1.5.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. createdineden -- The Buy Yorkshire Conference (aka 2014-09-08 5.4 CVE-2014-5635 MISC (link is buy_yorkshire_conf com.gotfocus.buyyorkshire) application 1.4 for external) erence Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. cubettechnologies The Cloud Manager (aka com.ileaf.cloud_manager) 2014-09-08 5.4 CVE-2014-5641 MISC (link is -- cloud_manager application 1.6 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. deskroll -- The DeskRoll Remote Desktop (aka 2014-09-08 5.4 CVE-2014-5603 MISC (link is deskroll_remote_de com.deskroll.client1) application 0.6 for Android external) sktop does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. devarai -- The Word Search Free (aka air.wordSearchFree) 2014-09-08 5.4 CVE-2014-5561 MISC (link is word_search_free application 4.9 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. differencegames -- The Hidden Memory - Aladdin FREE! (aka 2014-09-08 5.4 CVE-2014-5541 MISC (link is hidden_memory_- air.com.differencegames.hmaladdinfree) external) _aladdin_free! application 1.0.31 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. differencegames -- The Hidden Object - Alice Free (aka 2014-09-08 5.4 CVE-2014-5543 MISC (link is hidden_object_- air.com.differencegames.hovisionsofalicefree) external) _alice_free application 1.0.17 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. digimobistudio -- The QQ Copy (aka com.digimobistudio.qqcopy) 2014-09-08 5.4 CVE-2014-5605 MISC (link is qq_copy application 1 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. dish -- The DISH Anywhere (aka com.sm.SlingGuide.Dish) 2014-09-09 5.4 CVE-2014-5704 MISC (link is dish_anywhere application 3.5.10 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. disney -- The Where's My Perry? Free (aka 2014-09-08 5.4 CVE-2014-5606 MISC (link is where's_my_perry? com.disney.WMPLite) application 1.5.1 for Android external) _free does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. disney -- The Where's My Water? Free (aka 2014-09-08 5.4 CVE-2014-5607 MISC (link is where's_my_water? com.disney.WMWLite) application 1.9.1 for Android external) _free does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. djinnworks -- The Line Runner (Free) (aka 2014-09-08 5.4 CVE-2014-5608 MISC (link is line_runner_(free) com.djinnworks.linerunnerfree) application 4 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. djinnworks -- The Stickman Ski Racer (aka 2014-09-08 5.4 CVE-2014-5609 MISC (link is stickman_ski_racer com.djinnworks.StickmanSkiRacer.free) application external) 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. domino_labs -- The Like4Like: Get Instagram Likes (aka 2014-09-08 5.4 CVE-2014-5585 CERT-VN like4like:get_instagr com.bepop.bepop) application 2.1.5 for Android MISC (link is am_likes does not verify X.509 certificates from SSL servers, external) which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. dressup -- dress_up! The Dress Up! Girl Party (aka 2014-09-09 5.4 CVE-2014-5697 MISC (link is _girl_party com.sgn.DressUp.GirlParty) application 2 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ebay-kleinanzeigen The eBay Kleinanzeigen for Germany (aka 2014-09-08 5.4 CVE-2014-5611 MISC (link is -- com.ebay.kleinanzeigen) application 5.0.2 for external) ebay_kleinanzeigen Android does not verify X.509 certificates from SSL _for_germany servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. elokence -- The Akinator the Genie FREE (aka 2014-09-08 5.4 CVE-2014-5604 akinator_the_genie com.digidust.elokence.akinator.freemium) MISC (link is external) _free application 2.46 for Android does not verify X.509 CERT-VN certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. emurasoft -- Emurasoft EmFTP allows local users to gain 2014-09-05 4.4 CVE-2014-3910 JVNDB (link is emftp_professional privileges via a Trojan horse executable file that is external) launched during an attempt to read a similarly JVN (link is named file that lacks a filename extension. external) MISC (link is external) enigmail -- enigmail Enigmail 1.7.x before 1.7.2 sends emails in plaintext 2014-09-08 4.3 CVE-2014-5369 MLIST (link is when encryption is enabled and only BCC recipients external) are specified, which allows remote attackers to MLIST (link is obtain sensitive information by sniffing the external) CONFIRM (link network. is external) SECUNIA (link is external) SECUNIA (link is external) SUSE entertailion -- The Able Remote (aka 2014-09-08 5.4 CVE-2014-5613 MISC (link is able_remote com.entertailion.android.remote) application 2.3.6 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. etoolkit -- The Love Collage - Photo Editor (aka 2014-09-08 5.4 CVE-2014-5614 MISC (link is love_collage_- com.etoolkit.lovecollage) application 1.3 for external) _photo_editor Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. exsoul-browser -- The Exsoul Web Browser (aka com.exsoul) 2014-09-08 5.4 CVE-2014-5617 MISC (link is exsoul_web_brows application 3.3.3 for Android does not verify X.509 external) er certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. falconsc -- Session fixation vulnerability in Falcon WisePoint 2014-09-05 6.8 CVE-2014-3909 JVNDB (link is wisepoint 4.1.19.7 and earlier allows remote attackers to external) hijack web sessions via unspecified vectors. familyconnect_proj The familyconnect (aka 2014-09-08 5.4 CVE-2014-5600 MISC (link is ect -- familyconnect com.comcast.plaxo.familyconnect.app) application external) 1.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. fiksu -- fiksu The Fiksu library for Android does not verify X.509 2014-09-08 5.4 CVE-2014-5814 MISC (link is certificates from SSL servers, which allows man-in- external) the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. fingersoft -- The Cartoon Camera (aka 2014-09-08 5.4 CVE-2014-5618 MISC (link is cartoon_camera com.fingersoft.cartooncamera) application 1.2.2 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. flane -- The Cisco Class Locator Fast Lane (aka 2014-09-09 5.4 CVE-2014-5710 MISC (link is cisco_class_locator_ com.tabletkings.mycompany.fastlane.cisco) external) fast_lane application for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. flickatrade -- The Flick a Trade (aka air.com.cygnecode.fat) 2014-09-08 5.4 CVE-2014-5540 CERT-VN flick_a_trade application 3.3 for Android does not verify X.509 MISC (link is certificates from SSL servers, which allows man-in- external) the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. fluik -- The Office Jerk Free (aka com.fluik.OfficeJerkFree) 2014-09-08 5.4 CVE-2014-5620 MISC (link is office_jerk_free application 1.7.13 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. fluik -- The Office Zombie (aka 2014-09-08 5.4 CVE-2014-5621 MISC (link is office_zombie com.fluik.OfficeZombieGoogleFree) application external) 1.3.13 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. flurry -- flurry- The Flurry library before 3.4.0 for Android does not 2014-09-08 5.4 CVE-2014-6024 MISC (link is analytics-android verify X.509 certificates from SSL servers, which external) allows man-in-the-middle attackers to spoof servers MISC (link is and obtain sensitive information via a crafted external) certificate. flyfishing-and- The Fly Fishing & Fly Tying (aka 2014-09-08 5.4 CVE-2014-5556 MISC (link is flytying -- air.com.yudu.ReaderAIR3209899) application 3.21.0 external) fly_fishing_&_fly_ty for Android does not verify X.509 certificates from ing SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. fortinet -- fortios The FortiManager protocol service in Fortinet 2014-09-10 5.4 CVE-2014-0351 FortiOS before 4.3.16 and 5.x before 5.0.8 on FortiGate devices does not prevent use of anonymous ciphersuites, which makes it easier for man-in-the-middle attackers to obtain sensitive information or interfere with communications by modifying the client-server data stream. franklychat -- The Frankly Chat (aka com.chatfrankly.android) 2014-09-08 5.4 CVE-2014-5591 CERT-VN frankly_chat application 3.0.1 for Android does not verify X.509 CERT-VN certificates from SSL servers, which allows man-in- MISC (link is the-middle attackers to spoof servers and obtain external) sensitive information via a crafted certificate. freshplanet -- The SongPop (aka air.com.freshplanet.games.WaM) 2014-09-08 5.4 CVE-2014-5544 MISC (link is songpop application 1.21.2 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. fungames-forfree -- The Sniper Shooter Free - Fun Game (aka 2014-09-08 5.4 CVE-2014-5624 MISC (link is sniper_shooter_free com.fungamesforfree.snipershooter.free) external) _-_fun_game application 2.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gadgettrak -- The GadgetTrak Mobile Security (aka 2014-09-08 5.4 CVE-2014-5565 MISC (link is gadgettrak_mobile com.activetrak.android.app) application 1.6 for _security Android does not verify X.509 certificates from SSL external) servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gamegou -- The Perfect Kick (aka 2014-09-08 5.4 CVE-2014-5625 MISC (link is perfect_kick com.gamegou.PerfectKick.google) application 1.3.0 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gameinfo -- The Best Racing/moto Games Ranking (aka 2014-09-09 5.4 CVE-2014-5708 MISC (link is best_racing/moto_ com.subapp.android.racing) application 2.2.7 for external) games_ranking Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gameloft -- The Gameloft library for Android does not verify 2014-09-08 5.4 CVE-2014-5529 CERT-VN gameloft_library X.509 certificates from SSL servers, which allows MISC (link is man-in-the-middle attackers to spoof servers and external) obtain sensitive information via a crafted certificate. gameloft -- The Brothers In Arms 2 Free+ (aka 2014-09-08 5.4 CVE-2014-5626 MISC (link is brothers_in_arms_2 com.gameloft.android.ANMP.GloftB2HM) external) _free+ application 1.2.0b for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gameloft -- The Ice Age Village (aka 2014-09-08 5.4 CVE-2014-5627 MISC (link is ice_age_village com.gameloft.android.ANMP.GloftIAHM) external) application 2.8.0m for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gameloft -- The Wonder Zoo - Animal rescue ! (aka 2014-09-08 5.4 CVE-2014-5628 MISC (link is wonder_zoo_- com.gameloft.android.ANMP.GloftZRHM) external) _animal_rescue_! application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gameresort -- The Stupid Zombies (aka 2014-09-08 5.4 CVE-2014-5629 MISC (link is stupid_zombies com.gameresort.stupidzombies) application 1.12 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gcspublishing -- The Home Repair (aka 2014-09-08 5.4 CVE-2014-5630 MISC (link is home_repair com.gcspublishing.houserepairtalk) application external) 3.7.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. getsetgames -- The Mega Jump (aka com.getsetgames.megajump) 2014-09-08 5.4 CVE-2014-5632 MISC (link is mega_jump application @7F080002 for Android does not verify external) X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. girlgame -- The Baby Get Up - Kids Care (aka 2014-09-08 5.4 CVE-2014-5535 MISC (link is baby_get_up_- air.brown.jordansa.getup) application 1.0.3 for external) _kids_care Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. girlsgames123 -- The Kiss Kiss Office (aka 2014-09-08 5.4 CVE-2014-5633 MISC (link is kiss_kiss_office com.girlsgames123.kisskissoffice) application 1 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. gmarket -- gmarket The Gmarket (aka com.ebay.kr.gmarket) application 2014-09-08 5.4 CVE-2014-5612 MISC (link is 5.1.3 for Android does not verify X.509 certificates external) from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. go-text -- text_me! The Text Me! Free Texting & Call (aka 2014-09-09 5.4 CVE-2014-5714 MISC (link is _free_texting_&_cal com.textmeinc.textme) application 2.5.5 for external) l Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. goabode -- abode The Abode (aka abode.webview) application 1.7 for 2014-09-08 5.4 CVE-2014-5531 MISC (link is Android does not verify X.509 certificates from SSL external) servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. google_sitemap_pr Cross-site scripting (XSS) vulnerability in the Google 2014-09-11 4.3 CVE-2014-6240 BID (link is oject -- Sitemap (weeaar_googlesitemap) extension 0.4.3 external) google_sitemap and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. granita -- The Cloud Browser (aka 2014-09-08 5.4 CVE-2014-5636 MISC (link is cloud_browser com.granitamalta.cloudbrowser) application 2.2.1 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. group-office -- SQL injection vulnerability in 2014-09-11 6.5 CVE-2012-4240 XF (link is groupoffice modules/calendar/json.php in Group-Office external) community before 4.0.90 allows remote BID (link is authenticated users to execute arbitrary SQL external) MISC (link is commands via the sort parameter. external) EXPLOIT-DB (link is external) OSVDB BUGTRAQ (link is external) hasb_e_haal_projec The hasb_e_haal (aka com.anawaz.hasb_e_haal) 2014-09-08 5.4 CVE-2014-5567 MISC (link is t -- hasb_e_haal application 1.0.9 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. home_shopping_ap The Buy A Gift (aka com.wBuyAGift) application 2014-09-09 5.4 CVE-2014-5735 MISC (link is ps -- buy_a_gift 13529.90084 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. huntington -- The Huntington Mobile (aka com.huntington.m) 2014-09-08 5.4 CVE-2014-5638 MISC (link is huntington_mobile application 2.1.222 for Android does not verify external) X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ibm -- cognos_tm1 IBM Cognos TM1 10.2.0.2 before IF1 and 10.2.2.0 2014-09-05 5.0 CVE-2014-0877 XF (link is before IF1 allows remote attackers to bypass external) intended access restrictions by visiting the Rights page and then following a generated link. ibm -- The Administration and Reporting Tool in IBM 2014-09-10 5.0 CVE-2014-0909 rational_license_ke Rational License Key Server (RLKS) 8.1.4.x before y_server 8.1.4.4 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. ibm -- Cross-site request forgery (CSRF) vulnerability in 2014-09-10 6.0 CVE-2014-3037 rational_engineerin IBM Configuration Management Application (aka g_lifecycle_manage VVC) in IBM Rational Engineering Lifecycle Manager r before 4.0.7 and 5.x before 5.0.1, Rational Software Architect Design Manager before 4.0.7 and 5.x before 5.0.1, and Rational Rhapsody Design Manager before 4.0.7 and 5.x before 5.0.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. ibm -- IBM Jazz Team Server, as used in Rational 2014-09-11 5.0 CVE-2014-3092 XF (link is rational_doors_next Collaborative Lifecycle Management; Rational external) _generation Quality Manager 3.x before 3.0.1.6 iFix 3, 4.x before 4.0.7, and 5.x before 5.0.1; and other Rational products, does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. ibm -- Cross-site request forgery (CSRF) vulnerability in 2014-09-10 6.8 CVE-2014-4783 XF (link is initiate_master_dat IBM Initiate Master Data Service 9.5 before external) a_service 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. ibm -- IBM Initiate Master Data Service 9.5 before 2014-09-10 4.3 CVE-2014-4784 XF (link is initiate_master_dat 9.5.093013, 9.7 before 9.7.093013, 10.0 before external) a_service 10.0.093013, and 10.1 before 10.1.093013 does not properly restrict use of FRAME elements, which allows remote attackers to conduct phishing attacks, and bypass intended access restrictions or obtain sensitive information, via a crafted web site, related to a "frame injection" issue. ibm -- Cross-site request forgery (CSRF) vulnerability in 2014-09-10 6.0 CVE-2014-4785 XF (link is initiate_master_dat IBM Initiate Master Data Service 9.5 before external) a_service 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. ibm -- IBM Initiate Master Data Service 9.5 before 2014-09-10 4.9 CVE-2014-4786 XF (link is initiate_master_dat 9.5.093013, 9.7 before 9.7.093013, 10.0 before external) a_service 10.0.093013, and 10.1 before 10.1.093013 does not properly restrict use of FRAME elements, which allows remote authenticated users to conduct phishing attacks, and bypass intended access restrictions or obtain sensitive information, via a crafted web site, related to a "frame injection" issue. ibm -- IBM Initiate Master Data Service 9.5 before 2014-09-10 5.0 CVE-2014-4788 XF (link is initiate_master_dat 9.5.093013, 9.7 before 9.7.093013, 10.0 before external) a_service 10.0.093013, and 10.1 before 10.1.093013 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. ibm -- Session fixation vulnerability in IBM Initiate Master 2014-09-10 6.8 CVE-2014-4789 XF (link is initiate_master_dat Data Service 9.5 before 9.5.093013, 9.7 before external) a_service 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors. ibm -- IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 2014-09-11 4.0 CVE-2014-4792 websphere_portal 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 XF (link is external) CF28, 8.0.0 through 8.0.0.1 CF13, and 8.5.0 before AIXAPAR (link CF02 allows remote authenticated users to cause a is external) denial of service (disk consumption) by uploading large files. ibm -- IBM UrbanCode Deploy 6.1.0.2 before IF1 allows 2014-09-10 4.0 CVE-2014-6074 urbancode_deploy remote authenticated users to read keystore secret keys via a direct request to a UI page. ilearnwith -- The Animals! Kids Preschool Games (aka 2014-09-08 5.4 CVE-2014-5550 MISC (link is animals! air.com.tribalnova.Animals) application 1.6.1 for external) _kids_preschool_ga Android does not verify X.509 certificates from SSL mes servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ilearnwith -- The Alphabet & Spelling Kids Games (aka 2014-09-08 5.4 CVE-2014-5551 MISC (link is alphabet_&_spellin air.com.tribalnova.ilearnwith.ipad.App1En) external) g_kids_games application 1.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ilearnwith -- The Numbers & Addition! Math games (aka 2014-09-08 5.4 CVE-2014-5552 MISC (link is numbers_&_additio air.com.tribalnova.ilearnwith.ipad.App2En) external) n!_math_games application 1.4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ilearnwith -- The Kids Preschool Learning Games (aka 2014-09-08 5.4 CVE-2014-5553 MISC (link is kids_preschool_lear air.com.tribalnova.ilearnwith.ipad.App3En) external) ning_games application 1.3.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ilearnwith -- The Fun Preschool Creativity Game (aka 2014-09-08 5.4 CVE-2014-5554 MISC (link is fun_preschool_crea air.com.tribalnova.ilearnwith.ipad.MotherAppEn) external) tivity_game application 1.6.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ilearnwith -- The Counting & Addition Kids Games (aka 2014-09-08 5.4 CVE-2014-5555 MISC (link is counting_&_additio air.com.tribalnova.ilearnwith.ipad.PokoAddEn) external) n_kids_games application 1.8.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ilove -- ilove_- The iLove - Free Dating & Chat App (aka 2014-09-08 5.4 CVE-2014-5649 MISC (link is _free_dating_&_ch com.jestadigital.android.ilove) application 1.3.3 for external) at_app Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. imperva -- Cross-site scripting (XSS) vulnerability in the 2014-09-11 4.3 CVE-2011-4887 XF (link is securesphere_web_ Violations Table in the management GUI in the MX external) application_firewall Management Server in Imperva SecureSphere Web BID (link is Application Firewall (WAF) 9.0 allows remote external) MISC (link is attackers to inject arbitrary web script or HTML via external) the username field. SECUNIA (link is external) OSVDB impi -- The IMPI Mobile Security (aka com.impi) application 2014-09-08 5.4 CVE-2014-5642 MISC (link is impi_mobile_securi 2.1.0 for Android does not verify X.509 certificates external) ty from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. inmobi -- inmobi The Inmobi library for Android does not verify X.509 2014-09-08 5.4 CVE-2014-5526 MISC (link is certificates from SSL servers, which allows man-in- external) the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. instachat -- The Instachat -Instagram Messenger (aka 2014-09-08 5.4 CVE-2014-5643 MISC (link is instachat_- com.instachat.android) application 1.6.2 for external) instagram_messeng Android does not verify X.509 certificates from SSL er servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. intellectualflame -- The Brightest LED Flashlight (aka 2014-09-08 5.4 CVE-2014-5644 MISC (link is brightest_led_flashl com.intellectualflame.ledflashlight.washer) external) ight application 1.2.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. intsig -- The CamScanner -Phone PDF Creator (aka 2014-09-08 5.4 CVE-2014-5645 MISC (link is camscanner_- com.intsig.camscanner) application 3.4.0.20140624 external) phone_pdf_creator for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. iobit -- The AMC Security- Antivirus, Clean (aka 2014-09-08 5.4 CVE-2014-5646 MISC (link is amc_security- com.iobit.mobilecare) application 4.4.1 for Android external) _antivirus,_clean does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. islonline -- The ISL Light Remote Desktop (aka 2014-09-08 5.4 CVE-2014-5647 MISC (link is isl_light_remote_de com.islonline.isllight.mobile.android) application external) sktop 2.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. jaumo -- The Chat, Flirt & Dating Heart JAUMO (aka 2014-09-08 5.4 CVE-2014-5648 MISC (link is chat,_flirt_&_dating com.jaumo) application 2.7.5 for Android does not external) _heart_jaumo verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. jazzpodiumdetor -- The Jazzpodium De Tor (aka 2014-09-08 5.4 CVE-2014-5572 MISC (link is jazzpodium_de_tor com.appmakr.app273713) application 206160 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. jiuzhangtech -- The Traffic Jam Free (aka 2014-09-08 5.4 CVE-2014-5650 MISC (link is traffic_jam_free com.jiuzhangtech.rushhour) application 1.7.7 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. jiuzhangtech -- The Word Search (aka com.virtuesoft.wordsearch) 2014-09-09 5.4 CVE-2014-5731 MISC (link is word_search application 2.3.0 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. jogoeusei -- eu_sei The Eu Sei (aka com.guilardi.eusei) application 2014-09-08 5.4 CVE-2014-5637 MISC (link is eusei_android_5.5 for Android does not verify external) X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. josiane_sauveterre The Kids GoldFish Care (aka 2014-09-08 5.4 CVE-2014-5559 MISC (link is -- goldfish_care air.josiane.sauveterre.kidsgoldfishcare) application external) 1.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. kaspersky -- The Kaspersky Internet Security (aka com.kms.free) 2014-09-08 5.4 CVE-2014-5654 MISC (link is kaspersky_internet_ application 11.4.4.232 for Android does not verify external) security X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. kicksend -- The Kicksend: Share & Print Photos (aka 2014-09-08 5.4 CVE-2014-5651 MISC (link is kicksend:_share_&_ com.kicksend.android) application 3.3.2.18 for external) print_photos Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. kicksend -- The Kicksend Photo Prints (aka 2014-09-08 5.4 CVE-2014-5652 MISC (link is kicksend_photo_pri com.kicksend.android.print) application 1.0.7 for external) nts Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. kiragames -- The Unblock Me FREE (aka 2014-09-08 5.4 CVE-2014-5653 MISC (link is unblock_me_free com.kiragames.unblockmefree) application 1.4.4.2 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ldap_project -- ldap Unspecified vulnerability in the LDAP (eu_ldap) 2014-09-11 4.0 CVE-2014-6232 XF (link is extension before 2.8.18 for TYPO3 allows remote external) authenticated users to obtain sensitive information BID (link is via unknown vectors. external) SECUNIA (link is external) lgr_mobile_apps -- The Show do Milhao 2014 (aka 2014-09-08 5.4 CVE-2014-5563 MISC (link is show_do_milhao_2 br.com.lgrmobile.sdm) application 1.4.6 for Android external) 014 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. litter_penguin -- The Web Browser & Explorer (aka 2014-09-08 5.4 CVE-2014-5616 MISC (link is web_browser_&_ex com.explore.web.browser) application 2.0.7 for external) plorer Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. little_games -- The Africa Memory (aka 2014-09-08 5.4 CVE-2014-5546 MISC (link is africa_memory air.com.klon4enabor4e.AfricaMemory) application external) 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. madipass -- The Madipass Martinique (aka 2014-09-08 5.4 CVE-2014-5634 MISC (link is madipass_martiniq com.goodbarber.madipassmartinique) application external) ue 1.8 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. magzter -- The Magzter -Magazine & Book Store (aka 2014-09-08 5.4 CVE-2014-5602 MISC (link is magzter_- com.dci.magzter) application 3.31 for Android does external) magazine_&_book_ not verify X.509 certificates from SSL servers, which store allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. makingmoneywitha The Ingress Intel Helper (aka com.bb.ingressintel) 2014-09-08 5.4 CVE-2014-5582 MISC (link is ndroid -- application 1.2 for Android does not verify X.509 external) ingress_intel_helpe certificates from SSL servers, which allows man-in- r the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mdickie -- The Hard Time (Prison Sim) (aka air.HardTime) 2014-09-08 5.4 CVE-2014-5558 MISC (link is hard_time application 1.111 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mdickie -- popscene The Popscene (Music Industry Sim) (aka 2014-09-08 5.4 CVE-2014-5560 MISC (link is air.Popscene) application 1.04 for Android does not external) verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mercadolibre -- The MercadoLibre (aka com.mercadolibre) 2014-09-08 5.4 CVE-2014-5658 MISC (link is mercadolibre application 3.8.7 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. metago -- The ASTRO File Manager with Cloud (aka 2014-09-08 5.4 CVE-2014-5659 MISC (link is astro_file_manager com.metago.astro) application ASTRO-4.4.592 for external) _with_cloud Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. microsoft -- The Response Group Service in Microsoft Lync 2014-09-09 5.0 CVE-2014-4068 CONFIRM (link lync_server Server 2010 and 2013 and the Core Components in is external) Lync Server 2013 do not properly handle exceptions, which allows remote attackers to cause a denial of service (daemon hang) via a crafted call, aka "Lync Denial of Service Vulnerability." microsoft -- Cross-site scripting (XSS) vulnerability in the Web 2014-09-09 4.3 CVE-2014-4070 lync_server Components Server in Microsoft Lync Server 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Lync XSS Information Disclosure Vulnerability." microsoft -- The Server in Microsoft Lync Server 2013 allows 2014-09-09 5.0 CVE-2014-4071 CONFIRM (link lync_server remote attackers to cause a denial of service (NULL is external) pointer dereference and daemon hang) via a crafted request, aka "Lync Denial of Service Vulnerability." microsoft -- Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 2014-09-09 5.0 CVE-2014-4072 CONFIRM (link .net_framework 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly is external) use a hash table for request data, which allows remote attackers to cause a denial of service (resource consumption and ASP.NET performance degradation) via crafted requests, aka ".NET Framework Denial of Service Vulnerability." microsoft -- The Task Scheduler in Microsoft Windows 8, 2014-09-09 6.8 CVE-2014-4074 windows_8 Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via an application that schedules a crafted task, aka "Task Scheduler Vulnerability." microsoft -- The Microsoft Tech Companion (aka com.technet) 2014-09-09 5.4 CVE-2014-5711 MISC (link is microsoft_tech_co application 1.0.6 for Android does not verify X.509 external) mpanion certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. miniclip -- The Anger of Stick 3 (aka 2014-09-08 5.4 CVE-2014-5661 MISC (link is anger_of_stick_3 com.miniclip.angerofstick3) application 1.0.3 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. miniclip -- rail_rush The Rail Rush (aka com.miniclip.railrush) application 2014-09-08 5.4 CVE-2014-5662 MISC (link is 1.9.0 for Android does not verify X.509 certificates external) from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. miniupnp_project -- The getHTTPResponse function in miniwget.c in 2014-09-11 5.0 CVE-2014-3985 CONFIRM (link miniupnpd MiniUPnP 1.9 allows remote attackers to cause a is external) denial of service (crash) via crafted headers that CONFIRM (link trigger an out-of-bounds read. is external) BID (link is external) MLIST MLIST mirror_photo_&_sh The mirror photo shape (aka 2014-09-08 5.4 CVE-2014-5581 MISC (link is ape_project -- com.baiwang.styleinstamirror) application 1.4 for external) mirror_photo_&_sh Android does not verify X.509 certificates from SSL ape servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mobbtech -- The Follow Mania for Instagram (aka 2014-09-08 5.4 CVE-2014-5622 MISC (link is follow_mania_for_i com.followmania) application 1.2.1 for Android external) nstagram does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mobilityware -- The FreeCell Solitaire (aka 2014-09-08 5.4 CVE-2014-5663 MISC (link is freecell_solitaire com.mobilityware.freecell) application 2.1.2 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mobilityware -- The Spider Solitaire (aka com.mobilityware.spider) 2014-09-08 5.4 CVE-2014-5664 MISC (link is spider_solitaire application 3.0.0 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. mymembersfirst -- The TN Members 1st FCU-RDC (aka 2014-09-08 5.4 CVE-2014-5660 MISC (link is tn_members_1st_fc com.metova.cuae.tmffcu) application 1.0.28 for external) u-rdc Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. netmaster -- The Netmaster CBW700N cable modem with 2014-09-05 5.0 CVE-2014-4862 CERT-VN cbw700_software software 81.447.392110.729.024 has an SNMP MISC (link is community of public, which allows remote external) attackers to obtain sensitive credential, key, and SSID information via an SNMP request. ninjakiwi -- The SAS: Zombie Assault 3 (aka 2014-09-08 5.4 CVE-2014-5670 MISC (link is sas:_zombie_assaul com.ninjakiwi.sas3zombieassault) application 2.56 external) t_3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. nodejs -- nodejs Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 2014-09-05 5.0 CVE-2014-5256 CONFIRM (link does not consider the possibility of recursive is external) processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack. noodlecake -- The Super Stickman Golf (aka com.noodlecake.ssg) 2014-09-08 5.4 CVE-2014-5671 MISC (link is super_stickman_gol application 2.2 for Android does not verify X.509 external) f certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. nowbrowser -- The Now Browser (Material) (aka 2014-09-08 5.4 CVE-2014-5589 MISC (link is now_browser_(mat com.browser.nowbasic) 2.8.1 application Material external) erial) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. nq -- vault- The Vault-Hide SMS, Pics & Videos (aka 2014-09-08 5.4 CVE-2014-5667 MISC (link is hide_sms,_pics_&_v com.netqin.ps) application 5.0.14.22 for Android external) ideos does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. nq -- The NQ Mobile Security & Antivirus (aka 2014-09-08 5.4 CVE-2014-5672 MISC (link is nq_mobile_security com.nqmobile.antivirus20) application 7.2.16.00 for external) _&_antivirus Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. nq -- The Easy Finder & Anti-Theft (aka 2014-09-08 5.4 CVE-2014-5673 MISC (link is easy_finder_&_anti- com.nqmobile.easyfinder) application 2.0.10.08 for external) theft Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. ntop -- ntopng Cross-site scripting (XSS) vulnerability in the nDPI 2014-09-08 4.3 CVE-2014-5464 XF (link is traffic classification library in ntopng (aka ntop) external) before 1.2.1 allows remote attackers to inject BID (link is arbitrary web script or HTML via the HTTP Host external) BUGTRAQ header. (link is external) BUGTRAQ (link is external) EXPLOIT-DB (link is external) SECUNIA (link is external) FULLDISC FULLDISC MISC (link is external) OSVDB open_graph_protoc Cross-site scripting (XSS) vulnerability in the Open 2014-09-11 4.3 CVE-2014-6234 XF (link is ol_project -- Graph protocol (jh_opengraphprotocol) extension external) open_graph_protoc before 1.0.2 for TYPO3 allows remote attackers to BID (link is ol inject arbitrary web script or HTML via unspecified external) SECUNIA (link vectors. is external) ovirt -- ovirt Session fixation vulnerability in the web admin 2014-09-08 6.8 CVE-2014-0152 interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors. ovirt -- ovirt The REST API in oVirt 3.4.0 and earlier stores session 2014-09-08 4.3 CVE-2014-0153 IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page. penguinchefshop_p The penguinchefshop (aka 2014-09-08 5.4 CVE-2014-5623 MISC (link is roject -- com.freegames.penguinchefshop) application 1.0.1 external) penguinchefshop for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. perblue -- The Parallel Kingdom MMO (aka 2014-09-09 5.4 CVE-2014-5699 MISC (link is parallel_kingdom_ com.silvermoon.client) application @7F070019 for mmo Android does not verify X.509 certificates from SSL external) servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. permadi -- The Mahjong Galaxy Space Lite (aka 2014-09-08 5.4 CVE-2014-5547 MISC (link is mahjong_galaxy_sp air.com.permadi.mahjongIris) application 2.5 for external) ace_lite Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. picsart -- picsart_- The PicsArt - Photo Studio (aka com.picsart.studio) 2014-09-08 5.4 CVE-2014-5674 MISC (link is _photo_studio application 4.5.5 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. pinssible -- The Phonegram - Instagram Download (aka 2014-09-08 5.4 CVE-2014-5675 MISC (link is phonegram_- com.pinssible.padgram) application 1.9.5 for external) _instagram_downlo Android does not verify X.509 certificates from SSL ad servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. playrix -- township The Township (aka com.playrix.township) 2014-09-08 5.4 CVE-2014-5676 MISC (link is application 1.5.1 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. playscape -- The MoMinis library for Android does not verify 2014-09-08 5.4 CVE-2014-5525 CERT-VN mominis_library X.509 certificates from SSL servers, which allows MISC (link is man-in-the-middle attackers to spoof servers and external) obtain sensitive information via a crafted certificate. pocketmags -- The Gambling Insider Magazine (aka 2014-09-09 5.4 CVE-2014-5724 MISC (link is gambling_insider_ com.triactivemedia.gambling) application external) magazine @7F0801AA for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. pointinside -- The Point Inside Shopping & Travel (aka 2014-09-08 5.4 CVE-2014-5677 MISC (link is point_inside_shopp com.pointinside.android.app) application 3.1.0 for ing_&_travel Android does not verify X.509 certificates from SSL external) servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. pop-hub -- iq_test The IQ Test (aka com.pophub.androidiqtest.free) 2014-09-08 5.4 CVE-2014-5678 MISC (link is application 3.3 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. popuapp -- The PopU 2: Get Likes on Instagram (aka 2014-09-08 5.4 CVE-2014-5679 MISC (link is popu_2:_get_likes_ com.popuapp.popu) application 1.7.5 for Android external) on_instagram does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. retale -- retale_- The Retale - Weekly Ads & Deals (aka 2014-09-08 5.4 CVE-2014-5682 MISC (link is _weekly_ads_&_de com.retale.android) application 2.1.3 for Android external) als does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. rubycell -- The Piano Teacher (aka com.rubycell.pianisthd) 2014-09-08 5.4 CVE-2014-5683 MISC (link is piano_teacher application 20140730 for Android does not verify external) X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runkeeper -- The RunKeeper - GPS Track Run Walk (aka 2014-09-08 5.4 CVE-2014-5619 CERT-VN runkeeper_- com.fitnesskeeper.runkeeper.pro) application 4.7 MISC (link is _gps_track_run_wa for Android does not verify X.509 certificates from external) lk SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runtastic -- The Runtastic Running & Fitness (aka 2014-09-08 5.4 CVE-2014-5684 MISC (link is runtastic_running_ com.runtastic.android) application 5.1.2 for Android external) &_fitness does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runtastic -- The Runtastic Heart Rate (aka 2014-09-08 5.4 CVE-2014-5685 MISC (link is runtastic_heart_rat com.runtastic.android.heartrate.lite) application 1.3 external) e for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runtastic -- The Runtastic Me (aka 2014-09-08 5.4 CVE-2014-5686 MISC (link is runtastic_me com.runtastic.android.me.lite) application 1.0.2 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runtastic -- The Runtastic Mountain Bike (aka 2014-09-08 5.4 CVE-2014-5687 MISC (link is runtastic_mountain com.runtastic.android.mountainbike.lite) external) _bike application 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runtastic -- The Runtastic Pedometer (aka 2014-09-08 5.4 CVE-2014-5688 MISC (link is runtastic_pedomete com.runtastic.android.pedometer.lite) application external) r 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runtastic -- The Runtastic Road Bike (aka 2014-09-08 5.4 CVE-2014-5689 MISC (link is runtastic_road_bike com.runtastic.android.roadbike.lite) application external) 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. runtastic -- The Runtastic Timer (aka 2014-09-08 5.4 CVE-2014-5690 MISC (link is runtastic_timer com.runtastic.android.timer) application 1.0.1 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. rvappstudios -- The Best Phone Security (aka 2014-09-08 5.4 CVE-2014-5691 MISC (link is best_phone_securit com.rvappstudios.phonesecurity) application for external) y Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. safeway -- safeway The Safeway (aka 2014-09-09 5.4 CVE-2014-5692 MISC (link is com.safeway.client.android.safeway) application external) 4.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sanriodigital -- The Hello Kitty Cafe (aka 2014-09-09 5.4 CVE-2014-5695 MISC (link is hello_kitty_cafe com.sd.google.helloKittyCafe) application 1.4.0 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sap -- netweaver Buffer overflow in disp+work.exe 7000.52.12.34966 2014-09-05 6.5 CVE-2014-6252 CONFIRM (link and 7200.117.19.50294 in the Dispatcher in SAP is external) NetWeaver 7.00 and 7.20 allows remote SECUNIA (link authenticated users to cause a denial of service or is external) CONFIRM (link execute arbitrary code via unspecified vectors. is external) MISC (link is external) scoutmob -- The Scoutmob local deals & events (aka 2014-09-09 5.4 CVE-2014-5694 MISC (link is scoutmob_local_de com.scoutmob.ile) application 3.0.18 for Android external) als_&_event does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sega -- The Sonic 4 Episode II LITE (aka 2014-09-09 5.4 CVE-2014-5696 MISC (link is sonic_4_episode_ii com.sega.sonic4ep2lite) application 2.3 for Android external) _lite does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sega -- sonic_cd_lite The Sonic CD Lite (aka com.soa.sega.soniccdlite) 2014-09-09 5.4 CVE-2014-5705 MISC (link is application 1.0.4 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sensysnetworks -- Sensys Networks VSN240-F and VSN240-T sensors 2014-09-05 5.4 CVE-2014-2379 MISC trafficdot VDS before 2.10.1 and TrafficDOT before 2.10.3 do not use encryption, which allows remote attackers to interfere with traffic control by replaying transmissions on a wireless network. seven_bulls -- The Christmas Words (aka 2014-09-08 5.4 CVE-2014-5548 MISC (link is christmas_words air.com.sevenBulls.summerWords) application 1.0.1 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sheado -- furdiburb The Furdiburb (aka com.sheado.lite.pet) application 2014-09-09 5.4 CVE-2014-5698 MISC (link is 1.1.2 for Android does not verify X.509 certificates external) from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sixdead -- The Brain lab - brain age games IQ (aka 2014-09-09 5.4 CVE-2014-5700 MISC (link is brain_lab_- com.sixdead.brainlab) application 2.37 for Android external) _brain_age_games does not verify X.509 certificates from SSL servers, _iq which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. skout -- The Skout: Chats. Friends. Fun. (aka 2014-09-09 5.4 CVE-2014-5701 MISC (link is skout:_chats._friend com.skout.android) application 4.3.3 for Android external) s._fun. does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. skyboardapps -- The Penguin Run (aka 2014-09-09 5.4 CVE-2014-5702 MISC (link is penguin_run com.skyboard.google.penguinRun) application 1.1 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. slingo -- The Slingo Lottery Challenge (aka 2014-09-09 5.4 CVE-2014-5703 MISC (link is slingo_lottery_chall com.slingo.slingolotterychallenge) application enge 1.0.34 for Android does not verify X.509 certificates external) from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. snapone -- The Snap Secure (aka com.exclaim.snapsecure.app) 2014-09-08 5.4 CVE-2014-5615 MISC (link is snap_secure application 9.5 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. somcloud -- The SomNote - Journal/Memo (aka 2014-09-09 5.4 CVE-2014-5706 MISC (link is somnote_- com.somcloud.somnote) application 2.1.5 for external) _journal/memo Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sos -- jobscheduler Cross-site scripting (XSS) vulnerability in the 2014-09-11 4.3 CVE-2014-5391 CONFIRM (link JobScheduler Operations Center (JOC) in SOS is external) JobScheduler before 1.6.4246 and 1.7.x before XF (link is 1.7.4241 allows remote attackers to inject arbitrary external) BID (link is web script or HTML via the hash property external) (location.hash). BUGTRAQ (link is external) MISC (link is external) MISC (link is external) sos -- jobscheduler Directory traversal vulnerability in the JobScheduler 2014-09-11 4.0 CVE-2014-5393 CONFIRM (link Operations Center (JOC) in SOS JobScheduler is external) before 1.6.4246 and 1.7.x before 1.7.4241 allows XF (link is remote authenticated users with the info external) BUGTRAQ permission to read arbitrary files in the webroot via (link is external) unspecified vectors. MISC (link is external) MISC (link is external) squid-cache -- squid HttpHdrRange.cc in Squid 3.x before 3.3.12 and 2014-09-11 5.0 CVE-2014-3609 CONFIRM 3.4.x before 3.4.6 allows remote attackers to cause a DEBIAN denial of service (crash) via a request with crafted SECUNIA (link "Range headers with unidentifiable byte-range is external) SECUNIA (link values." is external) ssfcu -- The Security Service myBranch App (aka 2014-09-09 5.4 CVE-2014-5726 MISC (link is security_service_my com.tyfone.ssfcu.mbanking) application external) branch_app 7.88.00.145 for Android does not verify X.509 certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. starluxstudios -- The Puppy Slots (aka 2014-09-08 5.4 CVE-2014-5549 MISC (link is puppy_slots air.com.starluxstudios.PuppySlotsFree) application external) 3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. sunstormgames -- The Donut Maker (aka 2014-09-09 5.4 CVE-2014-5709 MISC (link is donut_maker com.sunstorm.android.donut) application 1.27 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. swiftkey -- The SwiftKey Keyboard + Emoji (aka 2014-09-09 5.4 CVE-2014-5722 MISC (link is swiftkey_keyboard_ com.touchtype.swiftkey) application 5.0.2.4 for external) +_emoji Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. synology -- Cross-site scripting (XSS) vulnerability in Synology 2014-09-12 4.3 CVE-2012-1556 XF (link is diskstation_manage Photo Station 5 for DiskStation Manager (DSM) 3.2- external) r 1955 allows remote attackers to inject arbitrary web BID (link is script or HTML via the name parameter to external) SECUNIA (link photo/photo_one.php. is external) OSVDB BUGTRAQ (link is external) tamalaki -- The Hidden Object Mystery (aka 2014-09-08 5.4 CVE-2014-5542 CERT-VN hidden_object_mys air.com.differencegames.hodetectivemysteryfree) MISC (link is tery application 1.0.65 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. tapatalk -- tapatalk The Tapatalk (aka com.quoord.tapatalkpro.activity) 2014-09-08 5.4 CVE-2014-5680 MISC (link is application 4.8.0 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. tapjoy -- The Tapjoy library for Android does not verify X.509 2014-09-08 5.4 CVE-2014-5527 CERT-VN tapjoy_library certificates from SSL servers, which allows man-in- MISC (link is the-middle attackers to spoof servers and obtain external) sensitive information via a crafted certificate. tektite -- The Turbo River Racing Free (aka 2014-09-09 5.4 CVE-2014-5712 MISC (link is turbo_river_racing_ com.tektite.androidgames.trrfree) application 1.07 external) free for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. telly -- telly- The Telly - Watch the good stuff (aka com.telly) 2014-09-09 5.4 CVE-2014-5713 MISC (link is watch_the_good_st application 2.5.1 for Android does not verify X.509 external) uff certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. thegameboss -- The Street Racing (aka 2014-09-09 5.4 CVE-2014-5715 MISC (link is street_racing com.tgb.streetracing.lite5pp) application 4.0.4 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. theonegames -- The GUNSHIP BATTLE : Helicopter 3D (aka 2014-09-09 5.4 CVE-2014-5716 MISC (link is gunship_battle:heli com.theonegames.gunshipbattle) application 1.1.7 external) copter_3d for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. threadflip -- The Threadflip : Buy, Sell Fashion (aka 2014-09-09 5.4 CVE-2014-5718 MISC (link is threadflip_:_buy,_s com.threadflip.android) application 1.1.11 for external) ell_fashion Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. timuz -- The BIKE RACING 2014 (aka 2014-09-09 5.4 CVE-2014-5719 MISC (link is bike_racing_2014 com.timuzsolutions.bikeracing2014) application 1.6 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. topfreegames -- The Bike Race Free - Top Free Game (aka 2014-09-09 5.4 CVE-2014-5720 MISC (link is bike_race_free_- com.topfreegames.bikeracefreeworld) application external) _top_free_game 4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. torrentflux -- TorrentFlux 2.4 allows remote authenticated users 2014-09-05 4.0 CVE-2014-6028 MISC torrentflux to obtain other users' cookies via the cid parameter SECTRACK in an editCookies action to profile.php. (link is external) MLIST (link is external) MLIST (link is external) torrentflux -- TorrentFlux 2.4 allows remote authenticated users 2014-09-05 4.9 CVE-2014-6029 MISC torrentflux to delete or modify other users' cookies via the cid SECTRACK parameter in an editCookies action to profile.php. (link is external) MLIST (link is external) MLIST (link is external) torrnad0 -- The Sprint jump (aka air.com.ilaz.appilas) 2014-09-08 5.4 CVE-2014-5545 MISC (link is sprint_jump application 1 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. touchnote -- The Touchnote Postcards (aka 2014-09-09 5.4 CVE-2014-5721 MISC (link is touchnote_postcard com.touchnote.android) application 4.2.7 for external) s Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. traauctions -- The TRA Auctions for Buyers (aka com.manheim.tra) 2014-09-08 5.4 CVE-2014-5656 MISC (link is tra_auctions_for_b application 2.6 for Android does not verify X.509 external) uyers certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. trading_212 -- The Trading 212 FOREX (aka 2014-09-08 5.4 CVE-2014-5578 MISC (link is trading_212_forex com.avuscapital.trading212) application 2.0.3 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. trapster -- trapster The Trapster (aka com.trapster.android) application 2014-09-09 5.4 CVE-2014-5723 MISC (link is 4.3.2 for Android does not verify X.509 certificates external) from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. tribulant -- Unrestricted file upload vulnerability in the 2014-09-11 6.5 CVE-2014-5460 CONFIRM tibulant_slideshow_ Tribulant Slideshow Gallery plugin before 1.4.7 for XF (link is gallery WordPress allows remote authenticated users to external) execute arbitrary code by uploading a PHP file, then BUGTRAQ (link is external) accessing it via a direct request to the file in wp- EXPLOIT-DB content/uploads/slideshow-gallery/. (link is external) MISC (link is external) SECUNIA (link is external) MISC (link is external) truecaller -- The Truecaller - Caller ID & Block (aka 2014-09-09 5.4 CVE-2014-5725 MISC (link is truecaller- com.truecaller) application 4.32 for Android does external) caller_id_&_block not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. utorrent -- The uTorrent Remote (aka com.utorrent.web) 2014-09-09 5.4 CVE-2014-5727 MISC (link is utorrent_remote application 1.0.20110929 for Android does not external) verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. vevo -- vevo- The Vevo - Watch HD Music Videos (aka com.vevo) 2014-09-09 5.4 CVE-2014-5728 MISC (link is watch_hd_music_vi application 2.0.27 for Android does not verify X.509 external) deos certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. viddy -- viddy The Viddy (aka com.viddy.Viddy) application 1.3.9 2014-09-09 5.4 CVE-2014-5729 MISC (link is for Android does not verify X.509 certificates from external) SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. videotelecom -- The russkoe TB HD (aka 2014-09-09 5.4 CVE-2014-5730 MISC (link is russkoe_tb_hd com.videotelecom.russkoeHD) application 3.6 for external) Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. wamba -- wamba- The Wamba - meet women and men (aka 2014-09-09 5.4 CVE-2014-5732 MISC (link is meet_women_and_ com.wamba.client) application 3 for Android does external) men not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. water_wish -- The Shop Love (aka com.waterwish.shoplove) 2014-09-09 5.4 CVE-2014-5733 MISC (link is shop_love application 1.05 for Android does not verify X.509 external) certificates from SSL servers, which allows man-in- the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. withbuddies -- The Slots Vacation - FREE Slots (aka 2014-09-09 5.4 CVE-2014-5693 MISC (link is slots_vacation_- com.scopely.slotsvacation) application 1.47.2 for external) _free_slots_ Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. withhive -- The actionpuzzlefamily for Kakao (aka 2014-09-08 5.4 CVE-2014-5595 MISC (link is actionpuzzlefamily_ com.com2us.actionpuzzlefamily.kakao.freefull.goo external) for_kakao gle.global.android.common) application 1.4.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. withhive -- The Homerun Battle 2 (aka 2014-09-08 5.4 CVE-2014-5596 MISC (link is homerun_battle_2 com.com2us.homerunbattle2.normal.freefull.googl external) e.global.android.common) application 1.2.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. withhive -- The 9 Innings: 2014 Pro Baseball (aka 2014-09-08 5.4 CVE-2014-5597 MISC (link is 9_innings:_2014_pr com.com2us.nipb2013.normal.freefull.google.glob external) o_baseball al.android.common) application 4.0.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. withhive -- The Puzzle Family (aka 2014-09-08 5.4 CVE-2014-5598 MISC (link is puzzle_family com.com2us.puzzlefamily.up.freefull.google.global. external) android.common) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. withhive -- The Tiny Farm (aka 2014-09-08 5.4 CVE-2014-5599 MISC (link is tiny_farm com.com2us.tinyfarm.normal.freefull.google.global external) .android.common) application 2.02.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. xda-developers -- The XDA-Developers (aka 2014-09-08 5.4 CVE-2014-5681 MISC (link is xda-developers com.quoord.tapatalkxda.activity) application 3.9.8 external) for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. xoops -- xoops Multiple cross-site scripting (XSS) vulnerabilities in 2014-09-11 4.3 CVE-2012-0984 MISC (link is XOOPS before 2.5.5 allow remote attackers to inject external) arbitrary web script or HTML via the (1) to_userid XF (link is parameter to modules/pm/pmlite.php or the (2) external) BID (link is current_file, (3) imgcat_id, or (4) target parameter external) EXPLOIT-DB to (link is external) class/xoopseditor/tinymce/tinymce/jscripts/tiny_m SECUNIA (link ce/plugins/ is external) MISC xoopsimagemanager/xoopsimagebrowser.php. OSVDB OSVDB BUGTRAQ (link is external) zohocorp -- ZOHO ManageEngine EventLog Analyzer 9.0 build 2014-09-11 6.5 CVE-2014-6043 FULLDISC manageengine_eve 9002 and 8.2 build 8020 does not properly restrict MISC (link is ntlog_analyzer access to the database browser, which allows external) remote authenticated users to obtain access to the BID (link is external) database via a direct request to event/runQuery.do. EXPLOIT-DB (link is external) FULLDISC MISC (link is external) zopim -- The Zopim library for Android does not verify X.509 2014-09-08 5.4 CVE-2014-5530 CERT-VN zopim_library certificates from SSL servers, which allows man-in- MISC (link is the-middle attackers to spoof servers and obtain external) sensitive information via a crafted certificate. Low Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity cisco -- Cross-site scripting (XSS) vulnerability in the web 2014-09-11 3.5 CVE-2014-3363 unified_communica framework in Cisco Unified Communications tions_manager Manager (UCM) 9.1(2.10000.28) allows remote authenticated users to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuq68443. eucalyptus -- The Storage Controller (SC) component in Eucalyptus 2014-09-05 1.9 CVE-2014-5036 SECUNIA (link eucalyptus 3.4.2 through 4.0.x before 4.0.1, when Dell is external) Equallogic SAN is used, logs the CHAP user SECUNIA (link credentials, which allows local users to obtain is external) sensitive information by reading the logs. ibm -- The Administration and Reporting Tool in IBM 2014-09-10 2.1 CVE-2014-3079 rational_license_ke Rational License Key Server (RLKS) 8.1.4.x before y_server 8.1.4.4 allows remote authenticated users to bypass authorization checks and visit unspecified URLs with license-usage data via a DESCRIBE clause in a SPARQL query. ibm -- The Administration and Reporting Tool in IBM 2014-09-10 3.5 CVE-2014-4756 rational_license_ke Rational License Key Server (RLKS) 8.1.4.x before y_server 8.1.4.4 allows remote authenticated users to hijack sessions via unspecified vectors. ibm -- Cross-site scripting (XSS) vulnerability in IBM 2014-09-11 3.5 CVE-2014-4762 XF (link is websphere_portal WebSphere Portal 8.0.0 through 8.0.0.1 CF13 and external) 8.5.0 before CF02 allows remote authenticated users AIXAPAR (link to inject arbitrary web script or HTML via a crafted is external) URL. ibm -- Cross-site scripting (XSS) vulnerability in IBM Initiate 2014-09-10 3.5 CVE-2014-4787 XF (link is initiate_master_dat Master Data Service 9.5 before 9.5.093013, 9.7 external) a_service before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. netgear -- The NETGEAR ProSafe Plus Configuration Utility 2014-09-10 3.3 CVE-2014-4864 prosafe_firmware creates configuration backup files containing cleartext passwords, which might allow remote attackers to obtain sensitive information by reading a file. news_pack_project Cross-site scripting (XSS) vulnerability in the News 2014-09-11 3.5 CVE-2014-6237 XF (link is -- news_pack Pack extension 0.1.0 and earlier for TYPO3 allows external) remote authenticated users to inject arbitrary web BID (link is script or HTML via unspecified vectors. external) sixapart -- Cross-site scripting (XSS) vulnerability in the 2014-09-10 3.5 CVE-2014-5313 JVNDB (link is movabletype management page in Six Apart Movable Type before external) 5.2 allows remote authenticated users to inject CONFIRM (link arbitrary web script or HTML via unspecified vectors. is external) spiceworks -- Cross-site scripting (XSS) vulnerability in SpiceWorks 2014-09-11 3.5 CVE-2014-3740 EXPLOIT-DB spiceworks before 7.2.00195 allows remote authenticated users (link is external) to inject arbitrary web script or HTML via the SECUNIA (link Summary field in a ticket request to the portal page. is external) FULLDISC MISC MISC MISC (link is external) OSVDB srvx -- srvx Multiple integer overflows in the HelpServ module 2014-09-05 3.5 CVE-2014-5508 BID (link is (mod-helpserv.c) in srvx 1.3.1 allow remote external) authenticated IRCops or HelpServ bot managers to MLIST (link is cause a denial of service (infinite loop) via a large external) MLIST (link is value in the EmptyInterval parameter or certain external) other interval configurations.

• Sources: http://nvd.nist.gov (For more information visit the National Vulnerabilities Database (NVD) which contains a database of every vulnerability that has ever been published).

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT