Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2014-4994

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-10 Jan, 2018 | 18:00
Updated At-06 Aug, 2024 | 11:34
Rejected At-
Credits

lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:10 Jan, 2018 | 18:00
Updated At:06 Aug, 2024 | 11:34
Rejected At:
▼CVE Numbering Authority (CNA)

lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2014/07/17/5
mailing-list
x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2014/07/07/13
mailing-list
x_refsource_MLIST
http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
x_refsource_MISC
Hyperlink: http://www.openwall.com/lists/oss-security/2014/07/17/5
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: http://www.openwall.com/lists/oss-security/2014/07/07/13
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2014/07/17/5
mailing-list
x_refsource_MLIST
x_transferred
http://www.openwall.com/lists/oss-security/2014/07/07/13
mailing-list
x_refsource_MLIST
x_transferred
http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
x_refsource_MISC
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2014/07/17/5
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2014/07/07/13
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:10 Jan, 2018 | 18:29
Updated At:30 Jan, 2018 | 14:47

lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.05.5MEDIUM
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary2.02.1LOW
AV:L/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 2.1
Base severity: LOW
Vector:
AV:L/AC:L/Au:N/C:N/I:P/A:N
CPE Matches
gyazo_project
gyazo_project
>>gyazo>>1.0.0
cpe:2.3:a:gyazo_project:gyazo:1.0.0:*:*:*:*:ruby:*:*
Weaknesses
CWE IDTypeSource
CWE-20Primarynvd@nist.gov
CWE ID: CWE-20
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2014/07/07/13cve@mitre.org
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/07/17/5cve@mitre.org
Mailing List
Third Party Advisory
http://www.vapid.dhs.org/advisories/gyazo-1.0.0.htmlcve@mitre.org
Exploit
Third Party Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2014/07/07/13
Source: cve@mitre.org
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2014/07/17/5
Source: cve@mitre.org
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

64Records found
CVE-2021-25415
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 13.35%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 14:33
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to remap EL2 memory as writable.

Action-Not Available
Vendor-Google LLCSamsungSamsung Electronics
Product-exynos_9610exynos_9810androidexynos_9830exynos_9820Samsung Mobile Devices
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-20
Improper Input Validation
CVE-2021-1519
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.05% / 15.70%
||
7 Day CHG~0.00%
Published-06 May, 2021 | 12:51
Updated-08 Nov, 2024 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco AnyConnect Secure Mobility Client Profile Modification Vulnerability

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to overwrite VPN profiles on an affected device. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to modify VPN profile files. To exploit this vulnerability, the attacker must have valid credentials on the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-anyconnect_secure_mobility_clientCisco AnyConnect Secure Mobility Client
CWE ID-CWE-20
Improper Input Validation
CVE-2021-0400
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 7.89%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 18:25
Updated-03 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation. This could lead to incorrect reporting of location data to emergency services with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-177561690

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-20
Improper Input Validation
CVE-2021-0377
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 3.38%
||
7 Day CHG~0.00%
Published-10 Mar, 2021 | 15:59
Updated-03 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In DeltaPerformer::Write of delta_performer.cc, there is a possible use of untrusted input due to improper input validation. This could lead to a local bypass of defense in depth protections with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-160800689

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-20
Improper Input Validation
CVE-2020-8324
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-5||MEDIUM
EPSS-0.06% / 18.02%
||
7 Day CHG~0.00%
Published-14 Apr, 2020 | 21:05
Updated-16 Sep, 2024 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was reported in LenovoAppScenarioPluginSystem for Lenovo System Interface Foundation prior to version 1.2.184.31 that could allow unsigned DLL files to be executed.

Action-Not Available
Vendor-Lenovo Group Limited
Product-system_interface_foundationLenovoAppScenarioPluginSystem for Lenovo System Interface Foundation
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CWE ID-CWE-20
Improper Input Validation
CVE-2020-3435
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.08% / 23.46%
||
7 Day CHG~0.00%
Published-17 Aug, 2020 | 18:00
Updated-13 Nov, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco AnyConnect Secure Mobility Client for Windows Profile Modification Vulnerability

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to overwrite VPN profiles on an affected device. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process on an affected device. A successful exploit could allow the attacker to modify VPN profile files. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-anyconnect_secure_mobility_clientCisco AnyConnect Secure Mobility Client
CWE ID-CWE-20
Improper Input Validation
CVE-2010-3293
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 19.45%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 14:08
Updated-07 Aug, 2024 | 03:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mailscanner can allow local users to prevent virus signatures from being updated

Action-Not Available
Vendor-mailscannern/a
Product-mailscannern/a
CWE ID-CWE-20
Improper Input Validation
CVE-2016-5294
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.07% / 21.77%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 21:00
Updated-25 Nov, 2025 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

Action-Not Available
Vendor-Mozilla CorporationMicrosoft Corporation
Product-windowsthunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-20
Improper Input Validation
CVE-2020-15709
Matching Score-4
Assigner-Canonical Ltd.
ShareView Details
Matching Score-4
Assigner-Canonical Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.04% / 11.76%
||
7 Day CHG~0.00%
Published-05 Sep, 2020 | 03:30
Updated-17 Sep, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
add-apt-repository print ASNI terminal codes

Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20.10, and 0.92.37.8ubuntu0.1~esm1, printed a PPA (personal package archive) description to the terminal as-is, which allowed PPA owners to provide ANSI terminal escapes to modify terminal contents in unexpected ways.

Action-Not Available
Vendor-Canonical Ltd.
Product-add-apt-repositoryadd-apt-repository
CWE ID-CWE-20
Improper Input Validation
CVE-2017-16556
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 15.28%
||
7 Day CHG~0.00%
Published-16 Jan, 2018 | 19:00
Updated-05 Aug, 2024 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In K7 Antivirus Premium before 15.1.0.53, user-controlled input can be used to allow local users to write to arbitrary memory locations.

Action-Not Available
Vendor-k7computingn/a
Product-endpointinternet_securityultimate_securitytotal_securityantivirusn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2017-14771
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.12% / 31.19%
||
7 Day CHG~0.00%
Published-02 Oct, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Skybox Manager Client Application prior to 8.5.501 is prone to an arbitrary file upload vulnerability due to insufficient input validation of user-supplied files path when uploading files via the application. During a debugger-pause state, a local authenticated attacker can upload an arbitrary file and overwrite existing files within the scope of the affected application.

Action-Not Available
Vendor-skyboxsecurityn/a
Product-skybox_manager_client_applicationn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2017-0007
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.5||MEDIUM
EPSS-1.21% / 79.18%
||
7 Day CHG~0.00%
Published-17 Mar, 2017 | 00:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2016windows_10Device Guard
CWE ID-CWE-20
Improper Input Validation
CVE-2016-2781
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.08% / 24.27%
||
7 Day CHG~0.00%
Published-07 Feb, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Action-Not Available
Vendor-n/aGNU
Product-coreutilsn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2016-11048
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.02% / 5.21%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 12:45
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with L(5.0/5.1) (Spreadtrum or Marvell chipsets) software. There is a Factory Reset Protection (FRP) bypass. The Samsung ID is SVE-2016-5421 (March 2016).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-20
Improper Input Validation
  • Previous
  • 1
  • 2
  • Next
Details not found