CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 7 and 7.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-5114 2014-07-29 2014-07-30
7.5
None Remote Low Not required Partial Partial Partial
WeBid 1.1.1 allows remote attackers to conduct an LDAP injection attack via the (1) js or (2) cat parameter.
2 CVE-2014-5112 94 Exec Code 2014-07-28 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.
3 CVE-2014-5109 89 Exec Code Sql 2014-07-28 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action.
4 CVE-2014-5104 89 Exec Code Sql 2014-07-28 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action to create_account.php, or (4) entry_country_id parameter in an edit action to admin/create_account.php.
5 CVE-2014-5102 89 Exec Code Sql 2014-07-25 2014-07-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.
6 CVE-2014-5017 89 Exec Code Sql 2014-07-21 2014-07-22
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter.
7 CVE-2014-4971 +Priv 2014-07-26 2014-07-28
7.2
None Local Low Not required Complete Complete Complete
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.
8 CVE-2014-4960 89 1 Exec Code Sql 2014-07-21 2014-07-22
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.
9 CVE-2014-4938 89 Exec Code Sql 2014-07-11 2014-07-14
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the WP Rss Poster (wp-rss-poster) plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in the wrp-add-new page to wp-admin/admin.php.
10 CVE-2014-4927 119 1 DoS Overflow 2014-07-24 2014-07-25
7.8
None Remote Low Not required None None Complete
Buffer overflow in ACME micro_httpd, as used in D-Link DSL2750U and DSL2740U and NetGear WGR614 and MR-ADSL-DG834 routers allows remote attackers to cause a denial of service (crash) via a long string in the URI in a GET request.
11 CVE-2014-4858 89 Exec Code Sql 2014-07-26 2014-07-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in CWPLogin.aspx in Sabre AirCentre Crew products 2010.2.12.20008 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field.
12 CVE-2014-4852 89 Exec Code Sql 2014-07-10 2014-07-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin/uploads.php in The Digital Craft AtomCMS, possibly 2.0, allows remote attackers to execute arbitrary SQL commands via the id parameter.
13 CVE-2014-4850 89 Exec Code Sql 2014-07-10 2014-07-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in FoeCMS allows remote attackers to execute arbitrary SQL commands via the i parameter.
14 CVE-2014-4741 89 Exec Code Sql 2014-07-09 2014-07-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in demo/ads.php in Artifectx xClassified 1.2 allows remote attackers to execute arbitrary SQL commands via the catid parameter.
15 CVE-2014-4736 89 Exec Code Sql 2014-07-24 2014-07-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in E2 before 2.4 (2845) allows remote attackers to execute arbitrary SQL commands via the note-id parameter to @actions/comment-process.
16 CVE-2014-4726 2014-07-27 2014-07-28
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.
17 CVE-2014-4725 287 Exec Code Bypass 2014-07-27 2014-07-28
7.5
None Remote Low Not required Partial Partial Partial
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.
18 CVE-2014-4672 94 2014-07-03 2014-07-24
7.5
None Remote Low Not required Partial Partial Partial
The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.
19 CVE-2014-4644 89 1 Exec Code Sql 2014-06-25 2014-07-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in superlinks.php in the superlinks plugin 1.4-2 for Cacti allows remote attackers to execute arbitrary SQL commands via the id parameter.
20 CVE-2014-4511 2 Exec Code 2014-07-22 2014-07-24
7.5
None Remote Low Not required Partial Partial Partial
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.
21 CVE-2014-4334 119 1 Exec Code Overflow 2014-06-19 2014-06-20
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Ubisoft Rayman Legends before 1.3.140380 allows remote attackers to execute arbitrary code via a long string in the "second connection" to TCP port 1001.
22 CVE-2014-4326 78 Exec Code 2014-07-22 2014-07-22
7.5
None Remote Low Not required Partial Partial Partial
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.
23 CVE-2014-4307 89 Exec Code Sql 2014-06-18 2014-06-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in categories-x.php in WebTitan before 4.04 allows remote attackers to execute arbitrary SQL commands via the sortkey parameter.
24 CVE-2014-4305 89 Exec Code Sql 2014-06-18 2014-06-19
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in NICE Recording eXpress (aka Cybertech eXpress) 6.5.7 and earlier allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
25 CVE-2014-4257 2014-07-17 2014-08-01
7.1
None Remote Medium Not required Complete None None
Unspecified vulnerability in the Oracle WebCenter Portal component in Oracle Fusion Middleware 11.1.1.7.0 and 11.1.1.8.0 allows remote attackers to affect confidentiality via unknown vectors related to Portlet Services.
26 CVE-2014-4194 89 Exec Code Sql 2014-07-09 2014-07-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in zero_transact_article.php in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter in a Submit Comment action.
27 CVE-2014-4190 119 DoS Overflow 2014-06-17 2014-06-18
7.8
None Remote Low Not required None None Complete
Multiple heap-based buffer overflows in Huawei Campus Series Switches S3700HI, S5700, S6700, S3300HI, S5300, S6300, S9300, S7700, and LSW S9700 with software V200R001 before V200R001SPH013; S5700, S6700, S5300, and S6300 with software V200R002 before V200R002SPH005; S7700, S9300, S9300E, S5300, S5700, S6300, S6700, S2350, S2750, and LSW S9700 with software V200R003 before V200R003SPH005; and S7700, S9300, S9300E, and LSW S9700 with software V200R005 before V200R005C00SPC300 allow remote attackers to cause a denial of service (device restart) via a crafted length field in a packet.
28 CVE-2014-4158 119 1 Exec Code Overflow 2014-06-13 2014-06-16
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a GET request.
29 CVE-2014-4153 200 +Info 2014-06-18 2014-06-19
7.8
None Remote Low Not required Complete None None
The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows remote attackers to read arbitrary files via a crafted get_file request.
30 CVE-2014-4034 89 1 Exec Code Sql 2014-06-11 2014-06-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in zero_view_article.php in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter.
31 CVE-2014-4018 255 1 2014-07-16 2014-07-16
7.8
None Remote Low Not required None Complete None
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors.
32 CVE-2014-4003 264 2014-06-09 2014-07-08
7.5
None Remote Low Not required Partial Partial Partial
The System Landscape Directory (SLD) in SAP NetWeaver allows remote attackers to modify information via vectors related to adding a system.
33 CVE-2014-3973 89 Exec Code Sql 2014-06-05 2014-06-06
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
34 CVE-2014-3969 264 +Priv 2014-06-05 2014-06-13
7.4
None Local Network Medium Single system Complete Complete Complete
Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors.
35 CVE-2014-3962 89 1 Exec Code Sql 2014-06-04 2014-06-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow remote attackers to execute arbitrary SQL commands via the url parameter to (1) videocat.php or (2) single.php.
36 CVE-2014-3961 89 1 Exec Code Sql 2014-06-04 2014-06-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an "output CSV" action to pdb-signup/.
37 CVE-2014-3937 89 Exec Code Sql 2014-06-02 2014-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Contextual Related Posts plugin before 1.8.10.2 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
38 CVE-2014-3935 89 Exec Code Sql 2014-06-02 2014-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in glossaire-aff.php in the Glossaire module 1.0 for XOOPS allows remote attackers to execute arbitrary SQL commands via the lettre parameter.
39 CVE-2014-3934 89 Exec Code Sql 2014-06-02 2014-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Submit_News module for PHP-Nuke 8.3 allows remote attackers to execute arbitrary SQL commands via the topics[] parameter to modules.php.
40 CVE-2014-3932 89 Exec Code Sql 2014-06-02 2014-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the device registration component in wsf/webservice.php in CoSoSys Endpoint Protector 4 4.3.0.4 and 4.4.0.2 allows remote attackers to execute arbitrary SQL commands via unspecified parameters.
41 CVE-2014-3872 89 Exec Code Sql 2014-05-27 2014-05-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the administration login page in D-Link DAP-1350 (Rev. A1) with firmware 1.14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password.
42 CVE-2014-3871 89 1 Exec Code Sql 2014-05-27 2014-05-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in register.php in Geodesic Solutions GeoCore MAX 7.3.3 (formerly GeoClassifieds and GeoAuctions) allow remote attackers to execute arbitrary SQL commands via the (1) c[password] or (2) c[username] parameter. NOTE: the b parameter to index.php vector is already covered by CVE-2006-3823.
43 CVE-2014-3834 264 2014-06-04 2014-06-04
7.5
None Remote Low Not required Partial Partial Partial
ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors.
44 CVE-2014-3819 20 DoS 2014-07-11 2014-07-18
7.8
None Remote Low Not required None None Complete
Juniper Junos 11.4 before 11.4R12, 12.1 before 12.1R10, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.1X47 before 12.1X47-D10, 12.2 before 12.2R8, 12.3 before 12.3R7, 13.1 before 13.1R4, 13.2 before 13.2R4, 13.3 before 13.3R2, and 14.1 before 14.1R1, when Auto-RP is enabled, allows remote attackers to cause a denial of service (RDP routing process crash and restart) via a malformed PIM packet.
45 CVE-2014-3817 20 DoS 2014-07-11 2014-08-01
7.8
None Remote Low Not required None None Complete
Juniper Junos 11.4 before 11.4R12, 12.1X44 before 12.1X44-D32, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, and 12.1X47 before 12.1X47-D10 on SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled, allows remote attackers to cause a denial of service (flowd hang or crash) via a crafted packet.
46 CVE-2014-3815 20 DoS 2014-07-11 2014-07-24
7.8
None Remote Low Not required None None Complete
Juniper Junos 12.1X46 before 12.1X46-D20 and 12.1X47 before 12.1X47-D10 on SRX Series devices allows remote attackers to cause a denial of service (flowd crash) via a crafted SIP packet.
47 CVE-2014-3814 20 DoS 2014-06-13 2014-06-26
7.8
None Remote Low Not required None None Complete
The Juniper Networks NetScreen Firewall devices with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via a sequence of malformed packets to the device IP.
48 CVE-2014-3813 DoS 2014-06-13 2014-06-26
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in the Juniper Networks NetScreen Firewall products with ScreenOS before 6.3r17, when configured to use the internal DNS lookup client, allows remote attackers to cause a denial of service (crash and reboot) via vectors related to a DNS lookup.
49 CVE-2014-3789 94 Exec Code 2014-05-22 2014-06-27
7.5
None Remote Low Not required Partial Partial Partial
GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary commands via unspecified vectors.
50 CVE-2014-3788 119 Exec Code Overflow 2014-05-22 2014-06-27
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the Web Server in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary code via a negative value in the Content-Length field in a request.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.