CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 9 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5501 CVE-2014-9727 78 1 Exec Code 2015-05-29 2018-08-13
10.0
None Remote Low Not required Complete Complete Complete
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
5502 CVE-2014-9682 77 Exec Code 2015-02-27 2015-03-02
10.0
None Remote Low Not required Complete Complete Complete
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.
5503 CVE-2014-9605 287 Sql Bypass 2015-09-04 2015-09-04
9.4
None Remote Low Not required Complete None Complete
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate.
5504 CVE-2014-9583 264 1 Exec Code Bypass 2015-01-08 2018-04-26
10.0
None Remote Low Not required Complete Complete Complete
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
5505 CVE-2014-9574 22 Dir. Trav. 2015-02-03 2017-09-07
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in install.php in FluxBB before 1.5.8 allows remote attackers to include and execute arbitrary local install.php files via a .. (dot dot) in the install_lang parameter.
5506 CVE-2014-9496 119 Overflow 2015-01-16 2018-10-30
10.0
None Remote Low Not required Complete Complete Complete
The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.
5507 CVE-2014-9495 119 Exec Code Overflow 2015-01-10 2016-10-17
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.
5508 CVE-2014-9488 119 Overflow 2015-04-14 2018-10-30
10.0
None Remote Low Not required Complete Complete Complete
The is_utf8_well_formed function in GNU less before 475 allows remote attackers to have unspecified impact via malformed UTF-8 characters, which triggers an out-of-bounds read.
5509 CVE-2014-9463 94 Exec Code 2017-09-15 2017-09-29
9.0
None Remote Low Single system Complete Complete Complete
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
5510 CVE-2014-9458 119 Overflow 2015-01-02 2015-01-05
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the GDB debugger module in Hex-Rays IDA Pro before 6.6 cumulative fix 2014-12-24 allows remote GDB servers to have unspecified impact via unknown vectors.
5511 CVE-2014-9456 119 1 Overflow 2015-01-02 2015-01-10
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. NOTE: this issue was originally incorrectly mapped to CVE-2014-1004; see CVE-2014-1004 for more information.
5512 CVE-2014-9421 DoS Exec Code 2015-02-19 2017-01-02
9.0
None Remote Low Single system Complete Complete Complete
The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.
5513 CVE-2014-9411 118 2017-08-18 2017-08-23
10.0
None Remote Low Not required Complete Complete Complete
In all Qualcomm products with Android releases from CAF using the Linux kernel, the use of an out-of-range pointer offset is potentially possible in rollback protection.
5514 CVE-2014-9406 255 2014-12-18 2014-12-18
10.0
Admin Remote Low Not required Complete Complete Complete
ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php.
5515 CVE-2014-9387 264 +Priv 2014-12-17 2018-10-09
10.0
User Remote Low Not required Complete Complete Complete
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.
5516 CVE-2014-9375 22 Dir. Trav. 2015-02-16 2015-02-17
9.0
None Remote Low Single system Complete Complete Complete
Directory traversal vulnerability in the LibraryFileUploadServlet servlet in Lexmark Markvision Enterprise allows remote authenticated users to write to and execute arbitrary files via a .. (dot dot) in a file path in a ZIP archive.
5517 CVE-2014-9373 22 Exec Code Dir. Trav. 2014-12-16 2014-12-17
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. (dot dot) in the filename.
5518 CVE-2014-9371 20 Exec Code 2014-12-16 2015-03-06
10.0
None Remote Low Not required Complete Complete Complete
The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
5519 CVE-2014-9357 264 Exec Code 2014-12-16 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
5520 CVE-2014-9353 264 +Priv 2015-02-06 2015-02-06
10.0
None Remote Low Not required Complete Complete Complete
NetApp OnCommand Balance before 4.2P2 contains a "default privileged account," which allows remote attackers to gain privileges via unspecified vectors.
5521 CVE-2014-9223 119 DoS Exec Code Overflow 2014-12-24 2016-09-06
10.0
None Remote Low Not required Complete Complete Complete
Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization.
5522 CVE-2014-9222 17 +Priv Mem. Corr. 2014-12-24 2018-08-31
10.0
None Remote Low Not required Complete Complete Complete
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.
5523 CVE-2014-9208 119 Exec Code Overflow 2015-09-11 2017-09-15
10.0
None Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in unspecified DLL files in Advantech WebAccess before 8.0.1 allow remote attackers to execute arbitrary code via unknown vectors.
5524 CVE-2014-9198 255 2015-01-27 2015-01-28
10.0
None Remote Low Not required Complete Complete Complete
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.
5525 CVE-2014-9196 254 2015-07-19 2016-11-28
9.3
None Remote Medium Not required Complete Complete Complete
Eaton Cooper Power Systems ProView 4.0 and 5.0 before 5.0 11 on Form 6 controls and Idea and IdeaPLUS relays generates TCP initial sequence number (ISN) values linearly, which makes it easier for remote attackers to spoof TCP sessions by predicting an ISN value.
5526 CVE-2014-9193 264 2014-12-19 2014-12-22
9.0
Admin Remote Low Single system Complete Complete Complete
Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting.
5527 CVE-2014-9190 119 Exec Code Overflow 2015-01-09 2015-01-12
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in Schneider Electric Wonderware InTouch Access Anywhere Server 10.6 and 11.0 allows remote attackers to execute arbitrary code via a request for a filename that does not exist.
5528 CVE-2014-9188 119 Exec Code Overflow 2014-12-27 2014-12-29
9.0
None Remote Low Not required Complete Partial Partial
Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514. NOTE: this may be clarified later based on details provided by researchers.
5529 CVE-2014-9183 255 +Priv 2014-12-02 2014-12-03
10.0
User Remote Low Not required Complete Complete Complete
ZTE ZXDSL 831CII has a default password of admin for the admin account, which allows remote attackers to gain administrator privileges.
5530 CVE-2014-9165 Exec Code 2014-12-10 2014-12-11
10.0
None Remote Low Not required Complete Complete Complete
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8454 and CVE-2014-8455.
5531 CVE-2014-9164 94 DoS Exec Code Mem. Corr. 2014-12-10 2018-12-20
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0587.
5532 CVE-2014-9163 Exec Code Overflow 2014-12-10 2018-12-20
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014.
5533 CVE-2014-9162 200 +Info 2014-12-10 2018-12-20
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors.
5534 CVE-2014-9161 119 DoS Overflow 2015-01-30 2017-01-02
9.3
None Remote Medium Not required Complete Complete Complete
CoolType.dll in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows, and 10.x through 10.1.13 and 11.x through 11.0.10 on OS X, allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted PDF document.
5535 CVE-2014-9160 119 Exec Code Overflow 2015-05-13 2017-01-02
10.0
None Remote Low Not required Complete Complete Complete
Multiple heap-based buffer overflows in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to execute arbitrary code via unknown vectors.
5536 CVE-2014-9159 Exec Code Overflow 2014-12-10 2014-12-11
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8457 and CVE-2014-8460.
5537 CVE-2014-9158 94 DoS Exec Code Mem. Corr. 2014-12-10 2014-12-11
10.0
None Remote Low Not required Complete Complete Complete
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, and CVE-2014-8461.
5538 CVE-2014-9134 Exec Code 2014-12-03 2014-12-05
10.0
None Remote Low Not required Complete Complete Complete
Unrestricted file upload vulnerability in Huawei Honor Cube Wireless Router WS860s before V100R001C02B222 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
5539 CVE-2014-9118 77 Exec Code 2017-10-17 2018-10-09
9.0
None Remote Low Single system Complete Complete Complete
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
5540 CVE-2014-9002 264 Exec Code 2014-11-20 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
Lantronix xPrintServer does not properly restrict access to ips/, which allows remote attackers to execute arbitrary commands via the c parameter in an rpc action.
5541 CVE-2014-8966 20 DoS Exec Code Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
5542 CVE-2014-8891 Exec Code 2015-03-06 2016-12-27
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors related to the security manager.
5543 CVE-2014-8888 77 Exec Code 2018-04-12 2018-05-18
10.0
None Remote Low Not required Complete Complete Complete
The remote administration interface in D-Link DIR-815 devices with firmware before 2.03.B02 allows remote attackers to execute arbitrary commands via vectors related to an "HTTP command injection issue."
5544 CVE-2014-8886 310 Exec Code 2016-01-08 2018-10-09
9.3
None Remote Medium Not required Complete Complete Complete
AVM FRITZ!OS before 6.30 extracts the contents of firmware updates before verifying their cryptographic signature, which allows remote attackers to create symlinks or overwrite critical files, and consequently execute arbitrary code, via a crafted firmware image.
5545 CVE-2014-8877 94 Exec Code 2014-12-05 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function.
5546 CVE-2014-8873 20 Exec Code 2015-11-09 2015-11-10
10.0
None Remote Low Not required Complete Complete Complete
A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8u1 includes a MIME type registration that is added to /etc/mailcap by mime-support, which allows remote attackers to execute arbitrary code via a JAR file.
5547 CVE-2014-8872 94 2017-08-28 2018-10-09
9.3
None Remote Medium Not required Complete Complete Complete
Improper Verification of Cryptographic Signature in AVM FRITZ!Box 6810 LTE after firmware 5.22, FRITZ!Box 6840 LTE after firmware 5.23, and other models with firmware 5.50.
5548 CVE-2014-8837 Exec Code 2015-01-30 2017-09-07
9.3
None Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the Bluetooth driver in Apple OS X before 10.10.2 allow attackers to execute arbitrary code in a privileged context via a crafted app.
5549 CVE-2014-8836 20 DoS Exec Code 2015-01-30 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (arbitrary-size bzero of kernel memory) via a crafted app.
5550 CVE-2014-8835 19 1 Exec Code 2015-01-30 2017-09-07
9.3
None Remote Medium Not required Complete Complete Complete
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.