CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 7 and 7.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-9030 20 DoS 2014-11-24 2014-11-24
7.1
None Remote Medium Not required None None Complete
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE.
2 CVE-2014-9024 264 Bypass 2014-11-20 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows remote attackers to bypass the password protection via a crafted path.
3 CVE-2014-9005 89 1 Exec Code Sql 2014-11-20 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 allow remote attackers to execute arbitrary SQL commands via the (1) country, (2) gender1, or ((3) gender2 parameter in a search action to index.php.
4 CVE-2014-8997 94 1 Exec Code 2014-11-20 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in the Photo functionality in DigitalVidhya Digi Online Examination System 2.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in assets/uploads/images/.
5 CVE-2014-8952 DoS 2014-11-16 2014-11-17
7.1
None Remote Medium Not required None None Complete
Multiple unspecified vulnerabilities in Check Point Security Gateway R75.40VS, R75.45, R75.46, R75.47, R76, R77, and R77.10, when the (1) IPS blade, (2) IPsec Remote Access, (3) Mobile Access / SSL VPN blade, (4) SSL Network Extender, (5) Identify Awareness blade, (6) HTTPS Inspection, (7) UserCheck, or (8) Data Leak Prevention blade module is enabled, allow remote attackers to cause a denial of service ("stability issue") via an unspecified "traffic condition."
6 CVE-2014-8951 DoS 2014-11-16 2014-11-17
7.1
None Remote Medium Not required None None Complete
Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enabled and the (1) Application Control, (2) URL Filtering, (3) DLP, (4) Threat Emulation, (5) Anti-Bot, or (6) Anti-Virus blade is used, allows remote attackers to cause a denial of service (fwk0 process crash, core dump, and restart) via a redirect to the UserCheck page.
7 CVE-2014-8950 DoS 2014-11-16 2014-11-17
7.1
None Remote Medium Not required None None Complete
Unspecified vulnerability in Check Point Security Gateway R77 and R77.10, when the (1) URL Filtering or (2) Identity Awareness blade is used, allows remote attackers to cause a denial of service (crash) via vectors involving an HTTPS request.
8 CVE-2014-8766 89 Exec Code Sql 2014-10-14 2014-10-21
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Allomani Weblinks 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter in a browse action to index.php or (2) unspecified parameters to admin.php.
9 CVE-2014-8682 89 1 Exec Code Sql 2014-11-21 2014-11-24
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
10 CVE-2014-8681 89 1 Exec Code Sql 2014-11-21 2014-11-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.
11 CVE-2014-8668 89 Exec Code Sql 2014-11-06 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP Contract Accounting allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
12 CVE-2014-8664 89 Exec Code Sql 2014-11-06 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Product Safety (EHS-SAF) component in SAP Environment, Health, and Safety Management allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
13 CVE-2014-8663 89 Exec Code Sql 2014-11-06 2014-11-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Data Basis (BW-WHM-DBA) in SAP NetWeaver Business Warehouse allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
14 CVE-2014-8662 DoS 2014-11-06 2014-11-06
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in SAP Payroll Process allows remote attackers to cause a denial of service via vectors related to session handling.
15 CVE-2014-8660 94 Exec Code 2014-11-06 2014-11-06
7.2
None Local Low Not required Complete Complete Complete
SAP Document Management Services allows local users to execute arbitrary commands via unspecified vectors.
16 CVE-2014-8626 119 DoS Exec Code Overflow 2014-11-22 2014-11-24
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.
17 CVE-2014-8596 89 1 Exec Code Sql 2014-11-17 2014-11-17
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to files/administration/submissions.php or (2) status parameter to files/administration/members.php.
18 CVE-2014-8588 89 Exec Code Sql 2014-11-04 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.379371 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
19 CVE-2014-8587 310 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows remote attackers to spoof Digital Signature Algorithm (DSA) signatures via unspecified vectors.
20 CVE-2014-8586 89 1 Exec Code Sql 2014-11-04 2014-11-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter.
21 CVE-2014-8582 2014-11-01 2014-11-13
7.5
None Remote Low Not required Partial Partial Partial
FortiNet FortiADC-E with firmware 3.1.1 before 4.0.5 and Coyote Point Equalizer with firmware 10.2.0a allows remote attackers to obtain access to arbitrary subnets via unspecified vectors.
22 CVE-2014-8554 89 Exec Code Sql 2014-11-13 2014-11-14
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609.
23 CVE-2014-8549 189 DoS 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the number of channels to at most 2, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted On2 data.
24 CVE-2014-8548 119 DoS Overflow 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Quicktime Graphics (aka SMC) video data.
25 CVE-2014-8547 119 DoS Overflow 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute image heights, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted GIF data.
26 CVE-2014-8546 189 DoS 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Cinepak video data.
27 CVE-2014-8545 189 DoS 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the monochrome-black format without verifying that the bits-per-pixel value is 1, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted PNG data.
28 CVE-2014-8544 20 DoS 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate bits-per-pixel fields, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted TIFF data.
29 CVE-2014-8543 20 DoS 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all lines of HHV Intra blocks during validation of image height, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MM video data.
30 CVE-2014-8542 119 DoS Overflow 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID during enforcement of alignment, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted JV data.
31 CVE-2014-8541 119 DoS Overflow 2014-11-05 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension differences, and not bits-per-pixel differences, when determining whether an image size has changed, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MJPEG data.
32 CVE-2014-8533 Exec Code 2014-10-29 2014-10-30
7.5
None Remote Low Not required Partial Partial Partial
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to execute arbitrary code via vectors related to ICMP redirection.
33 CVE-2014-8530 DoS +Info 2014-10-29 2014-10-30
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information, affect integrity, or cause a denial of service via unknown vectors, related to simultaneous logins.
34 CVE-2014-8522 287 2014-10-29 2014-10-30
7.5
None Remote Low Not required Partial Partial Partial
The MySQL database in McAfee Network Data Loss Prevention (NDLP) before 9.3 does not require a password, which makes it easier for remote attackers to obtain access.
35 CVE-2014-8517 77 Exec Code 2014-11-17 2014-11-17
7.5
None Remote Low Not required Partial Partial Partial
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
36 CVE-2014-8509 119 Exec Code Overflow 2014-10-31 2014-11-03
7.5
None Remote Low Not required Partial Partial Partial
The lazy_bdecode function in BitTorrent bootstrap-dht (aka Bootstrap) allows remote attackers to execute arbitrary code via a crafted packet, which triggers an out-of-bounds read, related to "Improper Indexing."
37 CVE-2014-8506 89 Exec Code Sql 2014-10-28 2014-10-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Etiko CMS allow remote attackers to execute arbitrary SQL commands via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.
38 CVE-2014-8474 DoS 2014-11-04 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
CA Cloud Service Management (CSM) before Summer 2014 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
39 CVE-2014-8442 264 2014-11-11 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to complete a transition from Low Integrity to Medium Integrity by leveraging incorrect permissions.
40 CVE-2014-8413 264 Bypass 2014-11-24 2014-11-25
7.5
None Remote Low Not required Partial Partial Partial
The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules.
41 CVE-2014-8388 119 Exec Code Overflow 2014-11-20 2014-11-24
7.2
None Local Low Not required Complete Complete Complete
Stack-based buffer overflow in Advantech WebAccess, formerly BroadWin WebAccess, before 8.0 allows remote attackers to execute arbitrary code via a crafted ip_address parameter in an HTML document.
42 CVE-2014-8366 89 Exec Code Sql 2014-10-20 2014-10-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.
43 CVE-2014-8363 89 Exec Code Sql 2014-10-20 2014-10-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.
44 CVE-2014-8359 264 Exec Code 2014-11-13 2014-11-13
7.2
None Local Low Not required Complete Complete Complete
Untrusted search path vulnerability in Huawei Mobile Partner for Windows 23.009.05.03.1014 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll in the Mobile Partner directory.
45 CVE-2014-8351 89 Exec Code Sql 2014-11-06 2014-11-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in info.php in French National Commission on Informatics and Liberty (aka CNIL) CookieViz before 1.0.1 allows remote web servers to execute arbitrary SQL commands via the domain parameter.
46 CVE-2014-8350 94 Exec Code Bypass 2014-11-03 2014-11-04
7.5
None Remote Low Not required Partial Partial Partial
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.
47 CVE-2014-8346 94 DoS 2014-10-24 2014-10-24
7.8
None Remote Low Not required None None Complete
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.
48 CVE-2014-8339 89 Exec Code Sql 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in midroll.php in Nuevolab Nuevoplayer for ClipShare 8.0 and earlier allows remote attackers to execute arbitrary SQL commands via the ch parameter.
49 CVE-2014-8325 399 DoS 2014-10-22 2014-10-23
7.8
None Remote Low Not required None None Complete
The Calendar Base (cal) extension before 1.5.9 and 1.6.x before 1.6.1 for TYPO3 allows remote attackers to cause a denial of service (resource consumption) via vectors related to the PHP PCRE library.
50 CVE-2014-8310 20 DoS 2014-10-16 2014-10-23
7.1
None Remote Medium Not required None None Complete
The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.