The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor’s...
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. Date published : 2014-07-28 http://www.securityfocus.com/bid/68923 http://www.kb.cert.org/vuls/id/867980
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts. Date published : 2014-07-28 http://www.kb.cert.org/vuls/id/867980
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors. Date published : 2014-07-27 https://wordpress.org/plugins/wysija-newsletters/changelog/ http://www.openwall.com/lists/oss-security/2014/07/08/7
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/. Date...
Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom. Date published : 2014-07-26 http://www.securityfocus.com/bid/68852 http://support.apple.com/kb/HT6443
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an...
Multiple SQL injection vulnerabilities in CWPLogin.aspx in Sabre AirCentre Crew products 2010.2.12.20008 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field. Date published : 2014-07-26...
Cross-site scripting (XSS) vulnerability in Gurock TestRail before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Created By field in a project activity. Date published : 2014-07-26 http://www.kb.cert.org/vuls/id/669804 http://forum.gurock.com/topic/1652/testrail-313-released/
Cross-site scripting (XSS) vulnerability in the Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Date published : 2014-07-26 http://linux.oracle.com/errata/ELSA-2014-0747.html...
The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows physically proximate attackers to discover a meeting password hash by leveraging access to an unattended workstation to read HTML source code within a...
The Intercluster Sync Agent Service in Cisco Unified Presence Server allows remote attackers to cause a denial of service via a TCP SYN flood, aka Bug ID CSCun34125. Date published : 2014-07-26 http://www.securityfocus.com/bid/68901 http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3328
SQL injection vulnerability in the web framework in Cisco Security Manager 4.5 and 4.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCup26957. Date published : 2014-07-26...
Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter,...