CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-2862 264 2014-04-15 2014-04-16
6.5
None Remote Low Single system Partial Partial Partial
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check authorization in unspecified situations, which allows remote authenticated users to perform actions via unknown vectors.
2 CVE-2014-2851 189 DoS Overflow +Priv 2014-04-14 2014-04-15
6.9
None Local Medium Not required Complete Complete Complete
Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.
3 CVE-2014-2848 362 +Priv 2014-04-11 2014-04-14
6.9
None Local Medium Not required Complete Complete Complete
A race condition in the wmi_malware_scan.nbin plugin before 201402262215 for Nessus 5.2.1 allows local users to gain privileges by replacing the dissolvable agent executable in the Windows temp directory with a Trojan horse program.
4 CVE-2014-2671 119 1 DoS Overflow Mem. Corr. 2014-03-31 2014-04-14
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft Windows Media Player (WMP) 11.0.5721.5230 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted WAV file.
5 CVE-2014-2669 189 Overflow 2014-03-31 2014-03-31
6.5
None Remote Low Single system Partial Partial Partial
Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.
6 CVE-2014-2655 89 Exec Code Sql 2014-04-02 2014-04-03
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the gen_show_status function in functions.inc.php in Postfix Admin (aka postfixadmin) before 2.3.7 allows remote authenticated users to execute arbitrary SQL commands via a new alias.
7 CVE-2014-2587 89 1 Exec Code Sql 2014-03-24 2014-04-01
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in jsp/reports/ReportsAudit.jsp in McAfee Asset Manager 6.6 allows remote authenticated users to execute arbitrary SQL commands via the username of an audit report (aka user parameter).
8 CVE-2014-2525 119 Exec Code Overflow 2014-03-28 2014-03-31
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.
9 CVE-2014-2455 2014-04-15 2014-04-16
6.0
None Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in the Hyperion Common Admin component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to User Interface.
10 CVE-2014-2444 2014-04-15 2014-04-16
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to InnoDB.
11 CVE-2014-2439 2014-04-15 2014-04-16
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Workspace Web Application.
12 CVE-2014-2436 2014-04-15 2014-04-16
6.0
None Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR.
13 CVE-2014-2422 2014-04-15 2014-04-16
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2.51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
14 CVE-2014-2411 2014-04-15 2014-04-16
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the Oracle Identity Analytics component in Oracle Fusion Middleware Oracle Identity Analytics 11.1.1.5 and Sun Role Manager 5.0 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Security.
15 CVE-2014-2409 2014-04-15 2014-04-16
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment.
16 CVE-2014-2408 2014-04-15 2014-04-16
6.6
None Remote High Single system Complete Complete None
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to the "Grant Any Object Privilege."
17 CVE-2014-2340 352 CSRF 2014-04-03 2014-04-03
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the XCloner plugin before 3.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that create website backups via a request to wp-admin/plugins.php.
18 CVE-2014-2339 89 Exec Code Sql 2014-03-19 2014-03-20
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in bbs/ajax.autosave.php in GNUboard 5.x and possibly earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) subject or (2) content parameter.
19 CVE-2014-2338 287 Bypass 2014-04-16 2014-04-17
6.4
None Remote Low Not required Partial Partial None
IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set to established.
20 CVE-2014-2317 89 Exec Code Sql 2014-03-09 2014-03-10
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7.2 allows remote attackers to execute arbitrary SQL commands via the table parameter. NOTE: some of these details are obtained from third party information.
21 CVE-2014-2309 189 DoS 2014-03-11 2014-04-01
6.1
None Local Network Low Not required None None Complete
The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.
22 CVE-2014-2253 DoS 2014-03-16 2014-03-25
6.1
None Local Network Low Not required None None Complete
Siemens SIMATIC S7-1500 CPU PLC devices with firmware before 1.5.0 allow remote attackers to cause a denial of service (defect-mode transition) via crafted Profinet packets.
23 CVE-2014-2252 399 DoS 2014-03-24 2014-03-24
6.1
None Local Network Low Not required None None Complete
Siemens SIMATIC S7-1200 CPU PLC devices with firmware before 4.0 allow remote attackers to cause a denial of service (defect-mode transition) via crafted PROFINET packets, a different vulnerability than CVE-2014-2253.
24 CVE-2014-2245 89 Exec Code Sql 2014-03-05 2014-03-07
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.
25 CVE-2014-2241 20 DoS 2014-03-18 2014-04-01
6.8
None Remote Medium Not required Partial Partial Partial
The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.
26 CVE-2014-2238 89 Exec Code Sql 2014-03-05 2014-03-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter.
27 CVE-2014-2234 20 Bypass 2014-03-05 2014-03-05
6.4
None Remote Low Not required Partial Partial None
A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and earlier uses a Trust Evaluation Agent (TEA) feature without terminating certain TLS/SSL handshakes as specified in the SSL_CTX_set_verify callback function's documentation, which allows remote attackers to bypass extra verification within a custom application via a crafted certificate chain that is acceptable to TEA but not acceptable to that application.
28 CVE-2014-2205 264 2014-02-26 2014-03-05
6.3
None Remote Medium Single system Complete None None
The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importing a crafted XML file, related to an XML External Entity (XXE) issue.
29 CVE-2014-2144 20 DoS 2014-04-05 2014-04-07
6.1
None Local Network Low Not required None None Complete
Cisco IOS XR does not properly throttle ICMPv6 redirect packets, which allows remote attackers to cause a denial of service (IPv4 and IPv6 transit outage) via crafted redirect messages, aka Bug ID CSCum14266.
30 CVE-2014-2131 399 DoS 2014-03-28 2014-03-31
6.1
None Local Network Low Not required None None Complete
The packet driver in Cisco IOS allows remote attackers to cause a denial of service (device reload) via a series of (1) Virtual Switching Systems (VSS) or (2) Bidirectional Forwarding Detection (BFD) packets, aka Bug IDs CSCug41049 and CSCue61890.
31 CVE-2014-2115 352 CSRF 2014-04-04 2014-04-04
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in CERUserServlet pages in Cisco Emergency Responder (ER) 8.6 and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCun24250.
32 CVE-2014-2103 20 DoS 2014-02-27 2014-02-28
6.8
None Remote Low Single system None None Complete
Cisco Intrusion Prevention System (IPS) Software allows remote attackers to cause a denial of service (MainApp process outage) via malformed SNMP packets, aka Bug IDs CSCum52355 and CSCul49309.
33 CVE-2014-2099 189 DoS 2014-03-01 2014-03-03
6.8
None Remote Medium Not required Partial Partial Partial
The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.1.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data.
34 CVE-2014-2098 119 DoS Overflow Mem. Corr. 2014-03-01 2014-03-03
6.8
None Remote Medium Not required Partial Partial Partial
libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data.
35 CVE-2014-2097 20 DoS 2014-03-01 2014-03-03
6.8
None Remote Medium Not required Partial Partial Partial
The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.1.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data.
36 CVE-2014-2089 94 Exec Code 2014-03-02 2014-03-03
6.8
None Remote Medium Not required Partial Partial Partial
ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.
37 CVE-2014-2088 Exec Code 2014-03-02 2014-03-03
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain client_id pathname.
38 CVE-2014-2059 22 Dir. Trav. 2014-02-28 2014-03-04
6.5
None Remote Low Single system Partial Partial Partial
Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.
39 CVE-2014-2047 287 2014-03-14 2014-03-25
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors.
40 CVE-2014-2043 89 1 Exec Code Sql 2014-03-13 2014-03-13
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in Resources/System/Templates/Data.aspx in Procentia IntelliPen before 1.1.18.1658 allows remote authenticated users to execute arbitrary SQL commands via the value parameter.
41 CVE-2014-1979 94 2014-03-19 2014-03-20
6.8
None Remote Medium Not required Partial Partial Partial
The NTT DOCOMO sp mode mail application 5900 through 6300 for Android 4.0.x and 6000 through 6620 for Android 4.1 through 4.4 allows remote attackers to execute arbitrary Java methods via Deco-mail emoticon POP data in an e-mail message.
42 CVE-2014-1915 352 Bypass CSRF 2014-02-07 2014-02-21
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Command School Student Management System 1.06.01 allow remote attackers to hijack the authentication of (1) administrators for requests that change the administrator password via an update action to sw/admin_change_password.php or (2) unspecified victims for requests that add a topic or blog entry to sw/add_topic.php. NOTE: vector 2 can be leveraged to bypass the authentication requirements for exploiting vector 1 in CVE-2014-1914.
43 CVE-2014-1907 22 Dir. Trav. 2014-03-06 2014-03-07
6.4
None Remote Low Not required Partial None Partial
Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php.
44 CVE-2014-1886 264 Exec Code 2014-03-02 2014-03-07
6.8
None Remote Medium Not required Partial Partial Partial
The Edinburgh by Bus application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently access external-storage resources, by leveraging control over one of a number of "obscure Eastern European dating sites."
45 CVE-2014-1885 264 Exec Code 2014-03-02 2014-03-07
6.4
None Remote Low Not required None Partial Partial
The ForzeArmate application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain write access to external-storage resources, by leveraging control over any Google syndication advertising domain.
46 CVE-2014-1694 352 CSRF 2014-02-04 2014-03-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.
47 CVE-2014-1683 134 2 Exec Code 2014-01-29 2014-02-21
6.8
None Remote Medium Not required Partial Partial Partial
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php, when the pid parameter is 4.
48 CVE-2014-1680 +Priv 2014-02-14 2014-02-21
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in Bandisoft Bandizip before 3.10 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory.
49 CVE-2014-1671 89 Exec Code Sql 2014-01-25 2014-01-31
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php.
50 CVE-2014-1670 94 2014-01-25 2014-01-31
6.8
None Remote Medium Not required Partial Partial Partial
The Microsoft Bing application before 4.2.1 for Android allows remote attackers to install arbitrary APK files via vectors involving a crafted DNS response.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.