CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-5100 352 1 XSS CSRF 2014-07-25 2014-07-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security.
2 CVE-2014-5023 Exec Code 2014-07-22 2014-07-22
6.8
None Remote Medium Not required Partial Partial Partial
Repository.php in Gitter, as used in Gitlist, allows remote attackers with commit privileges to execute arbitrary commands via shell metacharacters in a branch name, as demonstrated by a "git checkout -b" command.
3 CVE-2014-4977 89 Exec Code Sql 2014-07-16 2014-07-16
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php.
4 CVE-2014-4964 352 CSRF 2014-07-15 2014-07-18
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to hijack the authentication of users for requests that (1) modify customer settings or hijack the authentication of administrators for requests that change (2) customer passwords, (3) shop configuration, or (4) product details, as demonstrated by (5) modify a product's price via a crafted request to central/catalog/saveproduct.action or (6) creating a product review via a crafted request to shop/product/createReview.action.
5 CVE-2014-4963 2014-07-15 2014-07-16
6.8
None Remote Medium Not required Partial Partial Partial
Shopizer 1.1.5 and earlier allows remote attackers to modify the account settings of arbitrary users via the customer.customerId parameter to shop/profile/register.action.
6 CVE-2014-4962 189 2014-07-15 2014-07-16
6.4
None Remote Low Not required None Partial Partial
Shopizer 1.1.5 and earlier allows remote attackers to reduce the total cost of their shopping cart via a negative number in the productQuantity parameter, which causes the price of the item to be subtracted from the total cost.
7 CVE-2014-4948 DoS +Info 2014-07-22 2014-08-01
6.4
None Remote Low Not required Partial None Partial
Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and earlier allows attackers to cause a denial of service and obtain sensitive information by modifying the guest virtual hard disk (VHD).
8 CVE-2014-4944 89 Exec Code Sql 2014-07-14 2014-07-14
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in the BSK PDF Manager plugin 1.3.2 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) categoryid or (2) pdfid parameter to wp-admin/admin.php.
9 CVE-2014-4943 264 +Priv 2014-07-19 2014-08-01
6.9
None Local Medium Not required Complete Complete Complete
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.
10 CVE-2014-4939 89 Exec Code Sql 2014-07-11 2014-07-14
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the ENL Newsletter (enl-newsletter) plugin 1.0.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the enl-add-new page to wp-admin/admin.php.
11 CVE-2014-4909 189 DoS Exec Code Overflow 2014-07-29 2014-07-30
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in bitfield.c in Transmission before 2.84 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted peer message, which triggers an out-of-bounds write.
12 CVE-2014-4718 352 1 XSS CSRF 2014-07-03 2014-07-07
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Lunar CMS before 3.3-3 allow remote attackers to hijack the authentication of administrators for requests that (1) add Super users via a request to admin/user_create.php or conduct cross-site scripting (XSS) attacks via the (2) email or (3) subject parameter in contact_form.ext.php to admin/extensions.php.
13 CVE-2014-4717 352 XSS CSRF 2014-07-03 2014-07-07
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Simple Share Buttons Adder plugin before 4.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) ssba_share_text parameter in a save action to wp-admin/options-general.php, which is not properly handled in the homepage, and unspecified vectors related to (2) Pages, (3) Posts, (4) Category/Archive pages or (5) post Excerpts.
14 CVE-2014-4716 352 1 CSRF 2014-07-03 2014-07-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Thomson TWG87OUIR allows remote attackers to hijack the authentication of unspecified victims for requests that change passwords via the Password and PasswordReEnter parameters to goform/RgSecurity.
15 CVE-2014-4699 362 1 DoS +Priv 2014-07-09 2014-08-01
6.9
None Local Medium Not required Complete Complete Complete
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
16 CVE-2014-4691 2014-07-02 2014-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in pfSense before 2.1.4 allows remote attackers to hijack web sessions via a firewall login cookie.
17 CVE-2014-4688 Exec Code 2014-07-02 2014-07-02
6.5
User Remote Low Single system Partial Partial Partial
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.
18 CVE-2014-4686 +Info 2014-07-24 2014-07-25
6.8
None Remote Medium Not required Partial Partial Partial
The Project administration application in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, has a hardcoded encryption key, which allows remote attackers to obtain sensitive information by extracting this key from another product installation and then employing this key during the sniffing of network traffic on TCP port 1030.
19 CVE-2014-4684 264 +Priv 2014-07-24 2014-07-25
6.0
None Remote Medium Single system Partial Partial Partial
The database server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a request to TCP port 1433.
20 CVE-2014-4671 352 +Info CSRF 2014-07-09 2014-07-17
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
21 CVE-2014-4668 287 Bypass 2014-07-02 2014-07-02
6.8
None Remote Medium Not required Partial Partial Partial
The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.
22 CVE-2014-4663 94 1 Exec Code 2014-07-15 2014-07-15
6.8
None Remote Medium Not required Partial Partial Partial
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
23 CVE-2014-4653 DoS +Info 2014-07-03 2014-08-01
6.6
None Local Low Not required Complete None Complete
sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
24 CVE-2014-4649 89 Exec Code Sql 2014-06-28 2014-06-30
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.
25 CVE-2014-4646 119 Exec Code Overflow 2014-07-07 2014-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the FPDFBookmark_GetTitle method in Foxit PDF SDK DLL before 3.1.1.5005 allows context-dependent attackers to execute arbitrary code via unspecified vectors.
26 CVE-2014-4614 352 CSRF 2014-07-02 2014-07-09
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.
27 CVE-2014-4507 22 Dir. Trav. 2014-06-20 2014-06-23
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the dst parameter to tftp/fetch_boot_file.
28 CVE-2014-4333 352 Sql CSRF 2014-06-19 2014-06-20
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in administration/profiles.php in Dolphin 7.1.4 and earlier allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the members[] parameter, related to CVE-2014-3810.
29 CVE-2014-4267 2014-07-17 2014-08-01
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components.
30 CVE-2014-4261 2014-07-17 2014-08-01
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2487.
31 CVE-2014-4258 2014-07-17 2014-08-01
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC.
32 CVE-2014-4255 2014-07-17 2014-08-01
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Security and Policy.
33 CVE-2014-4254 2014-07-17 2014-08-01
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS - Web Services.
34 CVE-2014-4236 2014-07-17 2014-08-01
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 11.2.0.4 and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
35 CVE-2014-4225 2014-07-17 2014-08-01
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Patch installation scripts.
36 CVE-2014-4209 2014-07-17 2014-08-01
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
37 CVE-2014-4188 352 CSRF 2014-06-17 2014-06-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Hitachi Tuning Manager before 7.6.1-06 and 8.x before 8.0.0-04 and JP1/Performance Management - Manager Web Option 07-00 through 07-54 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
38 CVE-2014-4163 352 CSRF 2014-06-16 2014-06-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Featured Comments plugin 1.2.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that change the (1) buried or (2) featured status of a comment via a request to wp-admin/admin-ajax.php.
39 CVE-2014-4162 352 1 CSRF 2014-06-16 2014-07-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1.
40 CVE-2014-4155 352 1 CSRF 2014-06-19 2014-07-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a request to Forms/tools_admin_1.
41 CVE-2014-4046 Exec Code 2014-06-17 2014-06-18
6.5
None Remote Low Single system Partial Partial Partial
Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action.
42 CVE-2014-4030 352 CSRF 2014-06-25 2014-06-26
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the JW Player plugin before 2.1.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that remove players via a delete action to wp-admin/admin.php.
43 CVE-2014-4014 264 Bypass 2014-06-23 2014-07-11
6.2
None Local High Not required Complete Complete Complete
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.
44 CVE-2014-3992 89 Exec Code Sql 2014-07-11 2014-07-11
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php.
45 CVE-2014-3977 59 2014-06-08 2014-06-18
6.9
None Local Medium Not required Complete Complete Complete
libodm.a in IBM AIX 6.1 and 7.1, and VIOS 2.2.x, allows local users to overwrite arbitrary files via a symlink attack on a temporary file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2179.
46 CVE-2014-3942 94 Exec Code 2014-06-03 2014-06-04
6.0
None Remote Medium Single system Partial Partial Partial
The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.
47 CVE-2014-3920 352 CSRF 2014-07-03 2014-07-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.
48 CVE-2014-3896 352 CSRF 2014-07-29 2014-07-30
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in CGI programs in Seeds acmailer before 3.8.17 and 3.9.x before 3.9.10 Beta allow remote attackers to hijack the authentication of arbitrary users for requests that modify or delete data, as demonstrated by modifying data affecting authorization.
49 CVE-2014-3895 287 Bypass 2014-07-29 2014-07-30
6.4
None Remote Low Not required Partial Partial None
The I-O DATA TS-WLCAM camera with firmware 1.06 and earlier, TS-WLCAM/V camera with firmware 1.06 and earlier, TS-WPTCAM camera with firmware 1.08 and earlier, TS-PTCAM camera with firmware 1.08 and earlier, TS-PTCAM/POE camera with firmware 1.08 and earlier, and TS-WLC2 camera with firmware 1.02 and earlier allow remote attackers to bypass authentication, and consequently obtain sensitive credential and configuration data, via unspecified vectors.
50 CVE-2014-3891 119 Exec Code Overflow 2014-07-09 2014-07-09
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in RimArts Becky! Internet Mail before 2.68 allows remote POP3 servers to execute arbitrary code via a crafted response.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.