CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-6070 79 1 XSS 2014-09-11 2014-09-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.
2 CVE-2014-6043 264 1 2014-09-11 2014-09-12
6.5
User Remote Low Single system Partial Partial Partial
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do.
3 CVE-2014-5521 89 1 Exec Code Sql 2014-09-02 2014-09-03
6.5
None Remote Low Single system Partial Partial Partial
plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows remote authenticated users to execute arbitrary code via shell metacharacters in the username parameter.
4 CVE-2014-5519 94 1 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
5 CVE-2014-5465 22 1 Dir. Trav. 2014-09-03 2014-09-03
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
6 CVE-2014-5464 79 1 XSS 2014-09-08 2014-09-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
7 CVE-2014-5460 20 1 Exec Code 2014-09-11 2014-09-15
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
8 CVE-2014-5455 1 +Priv 2014-08-25 2014-08-26
6.9
None Local Medium Not required Complete Complete Complete
Unquoted Windows search path vulnerability in the ptservice service in PrivateTunnel 2.3.8, as bundled in OpenVPN 2.1.28.0 allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.
9 CVE-2014-5453 264 1 +Priv 2014-08-25 2014-08-26
7.2
None Local Low Not required Complete Complete Complete
Ubisoft Uplay PC before 4.6.1.3217 use weak permissions (Everyone: Full Control) for the program installation directory (%PROGRAMFILES%\Ubisoft Game Launcher), which allows local users to gain privileges via a Trojan horse file.
10 CVE-2014-5377 200 1 +Info 2014-09-04 2014-09-08
5.0
None Remote Low Not required Partial None None
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
11 CVE-2014-5349 119 1 DoS Overflow 2014-08-19 2014-08-20
5.0
None Remote Low Not required None None Partial
Stack-based buffer overflow in Baidu Spark Browser 26.5.9999.3511 allows remote attackers to cause a denial of service (application crash) via nested calls to the window.print JavaScript function.
12 CVE-2014-5347 352 1 XSS CSRF 2014-08-19 2014-08-20
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.
13 CVE-2014-5246 264 1 Bypass 2014-08-22 2014-08-27
10.0
None Remote Low Not required Complete Complete Complete
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication and gain administrator access by setting the admin:language cookie to zh-cn.
14 CVE-2014-5194 94 1 2014-08-07 2014-08-07
6.5
None Remote Low Single system Partial Partial Partial
Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
15 CVE-2014-5193 79 1 XSS 2014-08-07 2014-08-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the category parameter. NOTE: the url parameter vector is already covered by CVE-2014-5082.
16 CVE-2014-5192 89 1 Exec Code Sql 2014-08-07 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to execute arbitrary SQL commands via the filter parameter.
17 CVE-2014-5116 1 DoS 2014-07-29 2014-07-30
5.0
None Remote Low Not required None None Partial
The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string.
18 CVE-2014-5115 22 1 Dir. Trav. 2014-07-29 2014-08-27
5.0
None Remote Low Not required Partial None None
Absolute path traversal vulnerability in DirPHP 1.0 allows remote attackers to read arbitrary files via a full pathname in the phpfile parameter to index.php.
19 CVE-2014-5100 352 1 XSS CSRF 2014-07-25 2014-07-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security.
20 CVE-2014-5082 89 1 Exec Code Sql 2014-08-06 2014-08-14
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1.3.6 and earlier, Sphider Pro, and Spider-plus allow remote attackers to execute arbitrary SQL commands via the (1) site_id or (2) url parameter.
21 CVE-2014-5073 1 Exec Code 2014-08-29 2014-09-02
7.5
None Remote Low Not required Partial Partial Partial
vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the fileDate parameter in a DOWN call.
22 CVE-2014-4971 1 +Priv 2014-07-26 2014-08-22
7.2
None Local Low Not required Complete Complete Complete
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.
23 CVE-2014-4960 89 1 Exec Code Sql 2014-07-21 2014-07-22
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.
24 CVE-2014-4927 119 1 DoS Overflow 2014-07-24 2014-07-25
7.8
None Remote Low Not required None None Complete
Buffer overflow in ACME micro_httpd, as used in D-Link DSL2750U and DSL2740U and NetGear WGR614 and MR-ADSL-DG834 routers allows remote attackers to cause a denial of service (crash) via a long string in the URI in a GET request.
25 CVE-2014-4718 352 1 XSS CSRF 2014-07-03 2014-07-07
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Lunar CMS before 3.3-3 allow remote attackers to hijack the authentication of administrators for requests that (1) add Super users via a request to admin/user_create.php or conduct cross-site scripting (XSS) attacks via the (2) email or (3) subject parameter in contact_form.ext.php to admin/extensions.php.
26 CVE-2014-4716 352 1 CSRF 2014-07-03 2014-07-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Thomson TWG87OUIR allows remote attackers to hijack the authentication of unspecified victims for requests that change passwords via the Password and PasswordReEnter parameters to goform/RgSecurity.
27 CVE-2014-4710 79 1 XSS 2014-07-29 2014-07-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field.
28 CVE-2014-4699 362 1 DoS +Priv 2014-07-09 2014-08-01
6.9
None Local Medium Not required Complete Complete Complete
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
29 CVE-2014-4663 94 1 Exec Code 2014-07-15 2014-07-15
6.8
None Remote Medium Not required Partial Partial Partial
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
30 CVE-2014-4645 79 1 XSS 2014-06-25 2014-06-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in dhcpinfo.html in D-link DSL-2760U-E1 allows remote attackers to inject arbitrary web script or HTML via a hostname.
31 CVE-2014-4644 89 1 Exec Code Sql 2014-06-25 2014-07-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in superlinks.php in the superlinks plugin 1.4-2 for Cacti allows remote attackers to execute arbitrary SQL commands via the id parameter.
32 CVE-2014-4643 119 1 DoS Exec Code Overflow 2014-06-25 2014-06-26
5.0
None Remote Low Not required None None Partial
Multiple heap-based buffer overflows in the client in Core FTP LE 2.2 build 1798 allow remote FTP servers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string in a reply to a (1) USER, (2) PASS, (3) PASV, (4) SYST, (5) PWD, or (6) CDUP command.
33 CVE-2014-4511 2 Exec Code 2014-07-22 2014-07-24
7.5
None Remote Low Not required Partial Partial Partial
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.
34 CVE-2014-4334 119 1 Exec Code Overflow 2014-06-19 2014-06-20
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Ubisoft Rayman Legends before 1.3.140380 allows remote attackers to execute arbitrary code via a long string in the "second connection" to TCP port 1001.
35 CVE-2014-4166 79 1 XSS 2014-06-16 2014-06-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the song history in SHOUTcast DNAS 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the mp3 title field.
36 CVE-2014-4162 352 1 CSRF 2014-06-16 2014-07-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1.
37 CVE-2014-4158 119 2 Exec Code Overflow 2014-06-13 2014-08-27
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a GET request.
38 CVE-2014-4155 352 1 CSRF 2014-06-19 2014-07-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a request to Forms/tools_admin_1.
39 CVE-2014-4154 264 1 +Info 2014-07-16 2014-07-16
5.0
None Remote Low Not required Partial None None
ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA password via a direct request for basic/tc2wanfun.js.
40 CVE-2014-4034 89 1 Exec Code Sql 2014-06-11 2014-06-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in zero_view_article.php in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter.
41 CVE-2014-4033 79 1 XSS 2014-06-11 2014-06-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in libraries/includes/personal/profile.php in Epignosis eFront 3.6.14.4 allows remote attackers to inject arbitrary web script or HTML via the surname parameter to student.php.
42 CVE-2014-4018 255 1 2014-07-16 2014-07-16
7.8
None Remote Low Not required None Complete None
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors.
43 CVE-2014-3976 119 1 DoS Exec Code Overflow 2014-06-05 2014-06-06
5.0
None Remote Low Not required None None Partial
Buffer overflow in A10 Networks Advanced Core Operating System (ACOS) before 2.7.0-p6 and 2.7.1 before 2.7.1-P1_55 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long session id in the URI to sys_reboot.html. NOTE: some of these details are obtained from third party information.
44 CVE-2014-3975 22 1 Dir. Trav. 2014-06-05 2014-06-06
5.0
None Remote Low Not required Partial None None
Absolute path traversal vulnerability in filemanager.php in AuraCMS 3.0 allows remote attackers to list a directory via a full pathname in the viewdir parameter.
45 CVE-2014-3974 79 1 XSS 2014-06-05 2014-06-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in filemanager.php in AuraCMS 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the viewdir parameter.
46 CVE-2014-3962 89 1 Exec Code Sql 2014-06-04 2014-06-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow remote attackers to execute arbitrary SQL commands via the url parameter to (1) videocat.php or (2) single.php.
47 CVE-2014-3961 89 1 Exec Code Sql 2014-06-04 2014-06-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an "output CSV" action to pdb-signup/.
48 CVE-2014-3914 22 1 Exec Code Dir. Trav. 2014-08-07 2014-08-07
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.
49 CVE-2014-3913 119 1 Exec Code Overflow 2014-06-04 2014-06-26
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in AccessServer32.exe in Ericom AccessNow Server allows remote attackers to execute arbitrary code via a request for a non-existent file.
50 CVE-2014-3888 119 1 Exec Code Overflow 2014-07-10 2014-08-19
8.3
None Remote Medium Not required Partial Partial Complete
Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier, when FCS/Test Function is enabled, allows remote attackers to execute arbitrary code via a crafted packet.
Total number of vulnerabilities : 240   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.