CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-9408 200 +Info 2014-12-19 2014-12-19
5.0
None Remote Low Not required Partial None None
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack.
2 CVE-2014-9388 284 2014-12-17 2014-12-18
5.0
None Remote Low Not required None Partial None
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.
3 CVE-2014-9381 189 DoS 2014-12-19 2014-12-19
5.0
None Remote Low Not required None None Partial
Integer signedness error in the dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause a denial of service (crash) via a crafted password, which triggers a large memory allocation.
4 CVE-2014-9380 119 DoS Overflow 2014-12-19 2014-12-19
5.0
None Remote Low Not required None None Partial
The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause a denial of service (out-of-bounds read) via a packet containing only a CVS_LOGIN signature.
5 CVE-2014-9374 DoS 2014-12-12 2014-12-15
5.0
None Remote Low Not required None None Partial
Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, and 13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9 allows remote attackers to cause a denial of service (crash) by sending a zero length frame after a non-zero length frame.
6 CVE-2014-9365 2014-12-12 2014-12-12
5.8
None Remote Medium Not required Partial Partial None
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
7 CVE-2014-9363 2014-12-10 2014-12-11
5.5
None Remote Low Single system Partial Partial None
Open redirect vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter.
8 CVE-2014-9350 399 1 DoS 2014-12-08 2014-12-09
5.0
None Remote Low Not required None None Partial
TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm.
9 CVE-2014-9343 2014-12-08 2014-12-09
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in modules/system/controller/selectlanguage.class.php in Snowfox CMS 1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the rd parameter in a submit action to snowfox/.
10 CVE-2014-9323 DoS 2014-12-16 2014-12-17
5.0
None Remote Low Not required None None Partial
The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status.
11 CVE-2014-9319 119 DoS Overflow 2014-12-09 2014-12-10
5.0
None Remote Low Not required None None Partial
The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted .bit file.
12 CVE-2014-9302 2014-12-07 2014-12-09
5.0
None Remote Low Not required None Partial None
Server-side request forgery (SSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition 5.0.a and earlier allows remote attackers to trigger outbound requests via a crafted URI in the url parameter.
13 CVE-2014-9292 2014-12-05 2014-12-08
5.8
None Remote Medium Not required Partial Partial None
Server-side request forgery (SSRF) vulnerability in proxy.php in the jRSS Widget plugin 1.2 and earlier for WordPress allows remote attackers to trigger outbound requests and enumerate open ports via the url parameter.
14 CVE-2014-9279 200 +Info 2014-12-08 2014-12-09
5.0
None Remote Low Not required Partial None None
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.
15 CVE-2014-9251 255 2014-12-15 2014-12-16
5.0
None Remote Low Not required Partial None None
Zenoss Core through 5 Beta 3 uses a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack on hash values in the database, aka ZEN-15413.
16 CVE-2014-9250 200 +Info 2014-12-15 2014-12-16
5.0
None Remote Low Not required Partial None None
Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418.
17 CVE-2014-9248 255 2014-12-15 2014-12-16
5.0
None Remote Low Not required None Partial None
Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain access via a brute-force attack, aka ZEN-15406.
18 CVE-2014-9245 200 +Info 2014-12-15 2014-12-16
5.0
None Remote Low Not required Partial None None
Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382.
19 CVE-2014-9238 22 Dir. Trav. 2014-12-03 2014-12-05
5.0
None Remote Low Not required Partial None None
D-link IP camera DCS-2103 with firmware 1.0.0 allows remote attackers to obtain the installation path via the file parameter to cgi-bin/sddownload.cgi, as demonstrated by a / (forward slash) character.
20 CVE-2014-9234 22 Dir. Trav. 2014-12-03 2014-12-05
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in cgi-bin/sddownload.cgi in D-link IP camera DCS-2103 with firmware 1.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
21 CVE-2014-9218 399 DoS 2014-12-08 2014-12-08
5.0
None Remote Low Not required None None Partial
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password.
22 CVE-2014-9217 287 Bypass 2014-12-08 2014-12-08
5.0
None Remote Low Not required None Partial None
Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.
23 CVE-2014-9192 189 DoS Overflow 2014-12-11 2014-12-12
5.0
None Remote Low Not required None None Partial
Integer overflow in Trihedral Engineering VTScada (formerly VTS) 6.5 through 9.x before 9.1.20, 10.x before 10.2.22, and 11.x before 11.1.07 allows remote attackers to cause a denial of service (server crash) via a crafted request, which triggers a large memory allocation.
24 CVE-2014-9184 287 Bypass 2014-12-02 2014-12-03
5.0
None Remote Low Not required None Partial None
ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi.
25 CVE-2014-9181 22 Dir. Trav. 2014-12-02 2014-12-02
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in Plex Media Server before 0.9.9.3 allow remote attackers to read arbitrary files via a .. (dot dot) in the URI to (1) manage/ or (2) web/ or remote authenticated users to read arbitrary files via a .. (dot dot) in the URI to resources/.
26 CVE-2014-9180 2014-12-02 2014-12-03
5.0
None Remote Low Not required None Partial None
Open redirect vulnerability in go.php in Eleanor CMS allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the QUERY_STRING.
27 CVE-2014-9177 200 +Info 2014-12-02 2014-12-02
5.0
None Remote Low Not required Partial None None
The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php.
28 CVE-2014-9166 DoS 2014-12-10 2014-12-11
5.0
None Remote Low Not required None None Partial
Adobe ColdFusion 10 before Update 15 and 11 before Update 3 allows attackers to cause a denial of service (resource consumption) via unspecified vectors.
29 CVE-2014-9162 200 +Info 2014-12-10 2014-12-11
5.0
None Remote Low Not required Partial None None
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors.
30 CVE-2014-9140 119 DoS Overflow 2014-12-05 2014-12-05
5.0
None Remote Low Not required None None Partial
Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet.
31 CVE-2014-9130 20 DoS 2014-12-08 2014-12-09
5.0
None Remote Low Not required None None Partial
scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
32 CVE-2014-9117 284 Bypass 2014-12-06 2014-12-08
5.0
None Remote Low Not required None Partial None
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.
33 CVE-2014-9116 119 DoS Overflow 2014-12-02 2014-12-03
5.0
None Remote Low Not required None None Partial
The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, which allows remote attackers to cause a denial of service (crash) via a header with an empty body, which triggers a heap-based buffer overflow in the mutt_substrdup function.
34 CVE-2014-9112 119 DoS Overflow 2014-12-02 2014-12-17
5.0
None Remote Low Not required None None Partial
Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive.
35 CVE-2014-9087 189 DoS Overflow 2014-12-01 2014-12-05
5.0
None Remote Low Not required None None Partial
Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.
36 CVE-2014-9060 20 2014-11-24 2014-11-24
5.0
None Remote Low Not required Partial None None
The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.
37 CVE-2014-9050 119 DoS Overflow 2014-12-01 2014-12-17
5.0
None Remote Low Not required None None Partial
Heap-based buffer overflow in the cli_scanpe function in libclamav/pe.c in ClamAV before 0.95.4 allows remote attackers to cause a denial of service (crash) via a crafted y0da Crypter PE file.
38 CVE-2014-9034 19 DoS 2014-11-25 2014-12-08
5.0
None Remote Low Not required None None Partial
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
39 CVE-2014-9025 200 +Info 2014-11-20 2014-11-21
5.0
None Remote Low Not required Partial None None
The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.
40 CVE-2014-9023 264 2014-11-20 2014-11-20
5.5
None Remote Low Single system Partial Partial None
The Twilio module 7.x-1.x before 7.x-1.9 for Drupal does not properly restirct access to the Twilio administration pages, which allows remote authenticated users to read and modify authentication tokens by leveraging the "access administration pages" Drupal permission.
41 CVE-2014-9018 200 +Info 2014-12-03 2014-12-17
5.0
None Remote Low Not required Partial None None
Icecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors.
42 CVE-2014-9016 20 DoS 2014-11-24 2014-11-24
5.0
None Remote Low Not required None None Partial
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
43 CVE-2014-9006 255 2014-11-20 2014-11-20
5.0
None Remote Low Not required None Partial None
Monstra 3.0.1 and earlier uses a cookie to track how many login attempts have been attempted, which allows remote attackers to conduct brute force login attacks by deleting the login_attempts cookie or setting it to certain values.
44 CVE-2014-8995 89 Exec Code Sql 2014-11-20 2014-11-20
5.0
None Remote Low Not required None Partial None
SQL injection vulnerability in Maarch LetterBox 2.8 allows remote attackers to execute arbitrary SQL commands via the UserId cookie.
45 CVE-2014-8964 119 DoS Overflow 2014-12-16 2014-12-17
5.0
None Remote Low Not required None None Partial
Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.
46 CVE-2014-8890 264 +Priv 2014-12-18 2014-12-18
5.1
None Remote High Not required Partial Partial Partial
IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraints and ServletSecurity annotations.
47 CVE-2014-8875 DoS 2014-12-19 2014-12-19
5.0
None Remote Low Not required None None Partial
The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted XML-RPC request, aka an XML Entity Expansion (XEE) attack.
48 CVE-2014-8874 200 +Info 2014-12-02 2014-12-03
5.0
None Remote Low Not required Partial None None
The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request.
49 CVE-2014-8801 22 1 Dir. Trav. 2014-11-28 2014-11-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.
50 CVE-2014-8799 22 1 Dir. Trav. 2014-11-28 2014-11-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.