Vulnerabilities (CVE)

Filtered by CWE-264
Total 5242 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-3553 1 Moodle 1 Moodle 2024-11-21 4.9 MEDIUM N/A
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.
CVE-2014-3546 1 Moodle 1 Moodle 2024-11-21 5.0 MEDIUM N/A
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL.
CVE-2014-3514 1 Rubyonrails 1 Rails 2024-11-21 7.5 HIGH N/A
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
CVE-2014-3499 2 Docker, Fedoraproject 2 Docker, Fedora 2024-11-21 7.2 HIGH N/A
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.
CVE-2014-3472 1 Redhat 1 Jboss Enterprise Application Platform 2024-11-21 4.9 MEDIUM N/A
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.
CVE-2014-3464 1 Redhat 1 Jboss Enterprise Application Platform 2024-11-21 5.5 MEDIUM N/A
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.
CVE-2014-3431 2 Apple, Symantec 3 Mac Os X, Encryption Desktop, Pgp Desktop 2024-11-21 4.3 MEDIUM N/A
Symantec PGP Desktop 10.x, and Encryption Desktop Professional 10.3.x before 10.3.2 MP2, on OS X uses world-writable permissions for temporary files, which allows local users to bypass intended restrictions on file reading, modification, creation, and permission changes via unspecified vectors.
CVE-2014-3417 1 Jasig 1 Uportal 2024-11-21 6.5 MEDIUM N/A
uPortal before 4.0.13.1 does not properly check the CONFIG permission, which allows remote authenticated users to configure portlets by leveraging the SUBSCRIBE permission for a portlet.
CVE-2014-3416 1 Jasig 1 Uportal 2024-11-21 6.5 MEDIUM N/A
uPortal before 4.0.13.1 does not properly check the MANAGE permissions, which allows remote authenticated users to manage arbitrary portlets by leveraging the SUBSCRIBE permission for the portlet-admin portlet.
CVE-2014-3350 1 Cisco 1 Cloud Portal 2024-11-21 4.0 MEDIUM N/A
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) does not properly implement URL redirection, which allows remote authenticated users to obtain sensitive information via a crafted URL, aka Bug ID CSCuh84870.
CVE-2014-3345 1 Cisco 1 Transport Gateway Installation Software 2024-11-21 5.0 MEDIUM N/A
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.
CVE-2014-3333 1 Cisco 1 Unity Connection 2024-11-21 9.0 HIGH N/A
The server in Cisco Unity Connection 9.1(1) and 9.1(2) allows remote authenticated users to obtain privileged access by conducting an "HTTP Intercept" attack and leveraging the ability to read files within the context of the web-server user account, aka Bug ID CSCup41014.
CVE-2014-3330 1 Cisco 2 Nexus 9000, Nx-os 2024-11-21 5.0 MEDIUM N/A
Cisco NX-OS 6.1(2)I2(1) on Nexus 9000 switches does not properly process packet-drop policy checks for logged packets, which allows remote attackers to bypass intended access restrictions via a flood of packets matching a policy that contains the log keyword, aka Bug ID CSCuo02489.
CVE-2014-3309 1 Cisco 2 Ios, Ios Xe 2024-11-21 5.0 MEDIUM N/A
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.
CVE-2014-3300 1 Cisco 2 Unified Cdm Application Software, Unified Communications Domain Manager 2024-11-21 7.5 HIGH N/A
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM) in Unified CDM Application Software before 10 does not properly implement access control, which allows remote attackers to modify user information via a crafted URL, aka Bug ID CSCum77041.
CVE-2014-3297 1 Cisco 1 Cloud Portal 2024-11-21 4.0 MEDIUM N/A
Cisco Intelligent Automation for Cloud in Cisco Cloud Portal does not properly restrict the content of MyServices action URLs, which allows remote authenticated users to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug IDs CSCui36937, CSCui37004, and CSCui36927.
CVE-2014-3294 1 Cisco 1 Webex Meetings Server 2024-11-21 4.0 MEDIUM N/A
Cisco WebEx Meeting Server does not properly restrict the content of URLs, which allows remote authenticated users to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81691.
CVE-2014-3290 1 Cisco 1 Ios Xe 2024-11-21 4.8 MEDIUM N/A
The mDNS implementation in Cisco IOS XE 3.12S does not properly interact with autonomic networking, which allows remote attackers to obtain sensitive networking-services information by sniffing the network or overwrite networking-services data via a crafted mDNS response, aka Bug ID CSCun64867.
CVE-2014-3286 1 Cisco 1 Webex Meetings Server 2024-11-21 5.0 MEDIUM N/A
The web framework in Cisco WebEx Meeting Server does not properly restrict the content of reply messages, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug IDs CSCuj81685, CSCuj81688, CSCuj81665, CSCuj81744, and CSCuj81661.
CVE-2014-3282 1 Cisco 1 Unified Communications Domain Manager 2024-11-21 4.0 MEDIUM N/A
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain sensitive number-translation information by leveraging Location Administrator privileges and entering a crafted URL, aka Bug ID CSCum76930.