CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-94

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-5519 94 1 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
2 CVE-2014-5340 94 Exec Code 2014-09-02 2014-09-03
9.3
None Remote Medium Not required Complete Complete Complete
The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.
3 CVE-2014-5261 94 Exec Code 2014-08-22 2014-08-23
7.5
None Remote Low Not required Partial Partial Partial
The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php.
4 CVE-2014-5210 94 Exec Code 2014-08-21 2014-08-21
10.0
None Remote Low Not required Complete Complete Complete
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.
5 CVE-2014-5194 94 1 2014-08-07 2014-08-07
6.5
None Remote Low Single system Partial Partial Partial
Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
6 CVE-2014-5158 94 Exec Code 2014-08-21 2014-08-21
10.0
None Remote Low Not required Complete Complete Complete
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.
7 CVE-2014-5112 94 Exec Code 2014-07-28 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.
8 CVE-2014-5090 94 Exec Code 2014-08-06 2014-08-07
6.5
None Remote Low Single system Partial Partial Partial
admin/options/logs.php in Status2k allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the Location field in Add Logs in the Admin Panel.
9 CVE-2014-4767 94 Exec Code 2014-08-21 2014-08-22
6.5
None Remote Low Single system Partial Partial Partial
IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature installation, which allows remote authenticated users to execute arbitrary code via unspecified vectors.
10 CVE-2014-4672 94 2014-07-03 2014-07-24
7.5
None Remote Low Not required Partial Partial Partial
The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.
11 CVE-2014-4663 94 1 Exec Code 2014-07-15 2014-07-15
6.8
None Remote Medium Not required Partial Partial Partial
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
12 CVE-2014-4152 94 Exec Code 2014-06-18 2014-06-19
10.0
None Remote Low Not required Complete Complete Complete
The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows remote attackers to execute arbitrary code via a crafted remote_task request, related to injecting an ssh public key.
13 CVE-2014-4151 94 Exec Code 2014-06-18 2014-06-19
10.0
None Remote Low Not required Complete Complete Complete
The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows remote attackers to create arbitrary files and execute arbitrary code via a crafted set_file request.
14 CVE-2014-3942 94 Exec Code 2014-06-03 2014-06-04
6.0
None Remote Medium Single system Partial Partial Partial
The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.
15 CVE-2014-3915 94 Exec Code 2014-06-11 2014-06-12
10.0
None Remote Low Not required Complete Complete Complete
The userRequest servlet in the Admin Center for Tivoli Storage Manager in Rocket Servergraph allows remote attackers to execute arbitrary commands via a (1) auth, (2) auth_session, (3) auth_simple, (4) add, (5) add_flat, (6) remove, (7) set_pwd, (8) add_permissions, (9) revoke_permissions, (10) runAsync, or (11) tsmRequest command.
16 CVE-2014-3911 94 Exec Code 2014-06-11 2014-06-12
9.3
None Remote Medium Not required Complete Complete Complete
Samsung iPOLiS Device Manager before 1.8.7 allow remote attackers to execute arbitrary code via unspecified values to the (1) Start, (2) ChangeControlLocalName, (3) DeleteDeviceProfile, (4) FrameAdvanceReader, or other unknown method in the XNSSDKDEVICE.XnsSdkDeviceCtrlForIpInstaller.1 ActiveX control.
17 CVE-2014-3910 94 +Priv 2014-09-05 2014-09-08
4.4
None Local Medium Not required Partial Partial Partial
Emurasoft EmFTP allows local users to gain privileges via a Trojan horse executable file that is launched during an attempt to read a similarly named file that lacks a filename extension.
18 CVE-2014-3805 94 Exec Code 2014-06-13 2014-06-16
10.0
None Remote Low Not required Complete Complete Complete
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2) get_log_line, or (3) update_system/upgrade_pro_web request, a different vulnerability than CVE-2014-3804.
19 CVE-2014-3804 94 Exec Code 2014-06-13 2014-06-16
10.0
None Remote Low Not required Complete Complete Complete
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.
20 CVE-2014-3789 94 Exec Code 2014-05-22 2014-06-27
7.5
None Remote Low Not required Partial Partial Partial
GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary commands via unspecified vectors.
21 CVE-2014-3560 94 Exec Code 2014-08-06 2014-08-07
7.9
None Local Network Medium Not required Complete Complete Complete
NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h.
22 CVE-2014-3545 94 Exec Code 2014-07-29 2014-07-29
6.0
None Remote Medium Single system Partial Partial Partial
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.
23 CVE-2014-3541 94 Exec Code 2014-07-29 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.
24 CVE-2014-3518 94 Exec Code 2014-07-22 2014-07-23
6.8
None Remote Medium Not required Partial Partial Partial
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.
25 CVE-2014-3496 94 Exec Code 2014-06-20 2014-06-23
10.0
None Remote Low Not required Complete Complete Complete
cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a Source-Url ending with a (1) .tar.gz, (2) .zip, (3) .tgz, or (4) .tar file extension in a cartridge manifest file.
26 CVE-2014-3453 94 Exec Code 2014-05-17 2014-05-19
6.5
None Remote Low Single system Partial Partial Partial
Eval injection vulnerability in the flag_import_form_validate function in includes/flag.export.inc in the Flag module 7.x-3.0, 7.x-3.5, and earlier for Drupal allows remote authenticated administrators to execute arbitrary PHP code via the "Flag import code" text area to admin/structure/flags/import. NOTE: this issue could also be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page.
27 CVE-2014-3444 94 DoS Exec Code 2014-05-20 2014-05-20
9.3
None Remote Medium Not required Complete Complete Complete
The GetGUID function in codecs/dmp4.dll in RealNetworks RealPlayer 16.0.3.51 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (write access violation and application crash) via a malformed .3gp file.
28 CVE-2014-3429 94 Exec Code 2014-08-07 2014-08-07
6.8
None Remote Medium Not required Partial Partial Partial
IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.
29 CVE-2014-3177 94 Exec Code 2014-08-26 2014-09-04
10.0
None Remote Low Not required Complete Complete Complete
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3176.
30 CVE-2014-3176 94 Exec Code 2014-08-26 2014-09-04
10.0
None Remote Low Not required Complete Complete Complete
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177.
31 CVE-2014-3011 94 2014-06-27 2014-06-30
5.0
None Remote Low Not required None Partial None
IBM OpenPages GRC Platform 6.1.0.1 before IF4 allows remote attackers to conduct link injection attacks via unspecified vectors.
32 CVE-2014-2996 94 1 Exec Code 2014-04-25 2014-04-28
7.1
None Remote High Single system Complete Complete Complete
XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have the privileges to execute code. NOTE: this can be leveraged by remote attackers using CVE-2014-2579.
33 CVE-2014-2936 94 2014-05-08 2014-05-16
7.5
None Remote Low Not required Partial Partial Partial
The directory manager in Caldera 9.20 allows remote attackers to conduct variable-injection attacks in the global scope via (1) the maindir_hotfolder parameter to dirmng/index.php, or an unspecified parameter to (2) PPD/index.php, (3) dirmng/docmd.php, or (4) dirmng/param.php.
34 CVE-2014-2921 94 Exec Code 2014-04-21 2014-04-22
7.5
None Remote Low Not required Partial Partial Partial
The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.
35 CVE-2014-2909 94 2014-04-25 2014-04-25
5.8
None Remote Medium Not required None Partial Partial
CRLF injection vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary HTTP headers via unspecified vectors.
36 CVE-2014-2866 94 2014-04-15 2014-04-16
10.0
None Remote Low Not required Complete Complete Complete
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on client JavaScript code for access restrictions, which allows remote attackers to perform unspecified operations by modifying this code.
37 CVE-2014-2777 94 2014-06-11 2014-07-24
7.5
User Remote Low Not required Partial Partial Partial
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary web script with increased privileges via unspecified vectors, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-1778.
38 CVE-2014-2720 94 Exec Code 2014-05-27 2014-05-29
6.8
None Remote Medium Not required Partial Partial Partial
IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Central Directory entry, but launches this file on the basis of a ZIP archive's local file header, which allows user-assisted remote attackers to conduct file-extension spoofing attacks via a modified Central Directory, as demonstrated by unintended code execution prompted by a .jpg extension in the Central Directory and a .exe extension in the local file header.
39 CVE-2014-2558 94 Exec Code 2014-05-06 2014-05-07
6.5
None Remote Low Single system Partial Partial Partial
The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the create_function function.
40 CVE-2014-2378 94 Exec Code 2014-09-05 2014-09-08
7.6
None Local Network Medium Not required Complete Complete Partial
Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update.
41 CVE-2014-2223 94 1 Exec Code 2014-09-11 2014-09-13
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/.
42 CVE-2014-2196 94 Exec Code 2014-05-25 2014-06-18
9.3
None Remote Medium Not required Complete Complete Complete
Cisco Wide Area Application Services (WAAS) 5.1.1 before 5.1.1e, when SharePoint prefetch optimization is enabled, allows remote SharePoint servers to execute arbitrary code via a malformed response, aka Bug ID CSCue18479.
43 CVE-2014-2170 94 Exec Code 2014-05-02 2014-05-02
9.0
None Remote Low Single system Complete Complete Complete
Cisco TelePresence TC Software 4.x and 5.x before 5.1.7 and 6.x before 6.0.1 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to tshell (aka tcsh) scripts, aka Bug ID CSCue60202.
44 CVE-2014-2089 94 Exec Code 2014-03-02 2014-03-03
6.8
None Remote Medium Not required Partial Partial Partial
ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.
45 CVE-2014-2051 94 2014-06-05 2014-06-24
7.5
None Remote Low Not required Partial Partial Partial
ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."
46 CVE-2014-1999 94 Exec Code 2014-07-20 2014-08-04
7.5
None Remote Low Not required Partial Partial Partial
The auto-format feature in the Request_Curl class in FuelPHP 1.1 through 1.7.1 allows remote attackers to execute arbitrary code via a crafted response.
47 CVE-2014-1979 94 2014-03-19 2014-03-20
6.8
None Remote Medium Not required Partial Partial Partial
The NTT DOCOMO sp mode mail application 5900 through 6300 for Android 4.0.x and 6000 through 6620 for Android 4.1 through 4.4 allows remote attackers to execute arbitrary Java methods via Deco-mail emoticon POP data in an e-mail message.
48 CVE-2014-1939 94 Exec Code 2014-03-02 2014-03-04
7.5
None Remote Low Not required Partial Partial Partial
java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.
49 CVE-2014-1824 94 Exec Code 2014-07-08 2014-07-17
9.3
None Remote Medium Not required Complete Complete Complete
Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted Journal (aka .JNT) file, aka "Windows Journal Remote Code Execution Vulnerability."
50 CVE-2014-1813 94 Exec Code 2014-05-14 2014-06-30
8.5
None Remote Medium Single system Complete Complete Complete
Microsoft Web Applications 2010 SP1 and SP2 allows remote authenticated users to execute arbitrary code via crafted page content, aka "Web Applications Page Content Vulnerability."
Total number of vulnerabilities : 1906   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.