CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 9 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6351 CVE-2014-7875 DoS +Info 2014-11-04 2017-09-07
9.0
None Remote Low Not required Partial Partial Complete
Unspecified vulnerability on the HP LaserJet CM3530 Multifunction Printer CC519A and CC520A with firmware before 53.236.2 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors.
6352 CVE-2014-7861 20 DoS Exec Code 2014-10-05 2014-10-10
9.3
None Remote Medium Not required Complete Complete Complete
The IOHIDSecurePromptClient function in Apple OS X does not properly validate pointer values, which allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a crafted web site.
6353 CVE-2014-7858 287 Bypass 2017-08-25 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string.
6354 CVE-2014-7857 287 Bypass 2017-08-25 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass authentication and log in with administrator permissions by passing the cgi_set_wto command in the cmd parameter, and setting the spawned session's cookie to username=admin.
6355 CVE-2014-7297 2014-10-13 2014-10-15
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and attack vectors.
6356 CVE-2014-7288 264 1 Exec Code 2015-01-31 2017-09-07
9.0
None Remote Low Single system Complete Complete Complete
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.
6357 CVE-2014-7279 264 1 2017-03-23 2017-03-28
10.0
None Remote Low Not required Complete Complete Complete
The Konke Smart Plug K does not require authentication for TELNET sessions, which allows remote attackers to obtain "equipment management authority" via TCP traffic to port 23.
6358 CVE-2014-7249 119 Exec Code Overflow 2014-12-19 2014-12-19
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 9924SP, CentreCOM 9924T/4SP, Rapier 48i, and SwitchBlade4000 with firmware before 2.9.1-21 allows remote attackers to execute arbitrary code via a crafted HTTP POST request.
6359 CVE-2014-7247 19 Exec Code 2014-11-25 2015-02-24
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.
6360 CVE-2014-7235 94 Exec Code 2014-10-07 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
6361 CVE-2014-7233 255 2015-08-04 2018-03-27
10.0
None Remote Low Not required Complete Complete Complete
GE Healthcare Precision THUNIS-800+ has a default password of (1) 1973 for the factory default System Utilities menu, (2) TH8740 for installation using TH8740_122_Setup.exe, (3) hrml for "Setup and Activation" using DSASetup, and (4) an empty string for Shutter Configuration, which has unspecified impact and attack vectors. NOTE: since these passwords appear to be used to access functionality during installation, this issue might not cross privilege boundaries and might not be a vulnerability.
6362 CVE-2014-7232 255 2015-08-04 2018-03-27
10.0
None Remote Low Not required Complete Complete Complete
GE Healthcare Discovery XR656 and XR656 G2 has a password of (1) 2getin for the insite user, (2) 4$xray for the xruser user, and (3) #superxr for the root user, which has unspecified impact and attack vectors. NOTE: it is not clear whether these passwords are default, hardcoded, or dependent on another system or product that requires a fixed value.
6363 CVE-2014-7216 119 DoS Exec Code Overflow 2015-09-11 2018-10-09
9.3
None Remote Medium Not required Complete Complete Complete
Multiple stack-based buffer overflows in Yahoo! Messenger 11.5.0.228 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) shortcut or (2) title keys in an emoticons.xml file.
6364 CVE-2014-7205 94 Exec Code 2014-10-08 2019-07-16
10.0
None Remote Low Not required Complete Complete Complete
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
6365 CVE-2014-7192 94 Exec Code 2014-12-11 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file.
6366 CVE-2014-7187 119 DoS Overflow 2014-09-28 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.
6367 CVE-2014-7186 119 DoS Overflow 2014-09-28 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.
6368 CVE-2014-7178 20 Exec Code 2014-11-28 2014-12-16
9.3
None Remote Medium Not required Complete Complete Complete
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.
6369 CVE-2014-7169 78 Exec Code 2014-09-24 2018-11-30
10.0
None Remote Low Not required Complete Complete Complete
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
6370 CVE-2014-6633 77 Exec Code 2018-04-12 2018-05-22
9.0
None Remote Low Single system Complete Complete Complete
The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.
6371 CVE-2014-6628 Exec Code 2015-05-28 2015-05-29
9.0
None Remote Low Single system Complete Complete Complete
Aruba Networks ClearPass Policy Manager (CPPM) before 6.5.0 allows remote administrators to execute arbitrary code via unspecified vectors.
6372 CVE-2014-6627 284 Exec Code 2014-11-19 2014-11-19
9.0
None Remote Low Single system Complete Complete Complete
Aruba Networks ClearPass before 6.3.5 and 6.4.x before 6.4.1 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2014-5342.
6373 CVE-2014-6626 284 Bypass 2014-11-19 2014-11-19
10.0
Admin Remote Low Not required Complete Complete Complete
Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not properly restrict access to unspecified administrative functions, which allows remote attackers to bypass authentication and execute administrative actions via unknown vectors.
6374 CVE-2014-6625 284 +Priv 2014-11-19 2014-11-19
9.0
Admin Remote Low Single system Complete Complete Complete
The Policy Manager in Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows remote authenticated users to gain privileges via unspecified vectors.
6375 CVE-2014-6617 798 2018-03-09 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 contains a hardcoded password for the root account, which allows remote attackers to obtain administrative access via a TELNET session.
6376 CVE-2014-6601 2015-01-21 2019-04-22
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
6377 CVE-2014-6567 Exec Code Overflow 2015-01-21 2016-11-28
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command.
6378 CVE-2014-6562 2014-10-15 2015-02-20
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
6379 CVE-2014-6560 2014-10-15 2014-10-24
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6467, and CVE-2014-6545.
6380 CVE-2014-6549 2015-01-21 2016-12-21
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
6381 CVE-2014-6546 2014-10-15 2014-10-24
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
6382 CVE-2014-6545 2014-10-15 2015-11-17
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6467, and CVE-2014-6560.
6383 CVE-2014-6532 2014-10-15 2015-03-17
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503.
6384 CVE-2014-6513 2014-10-15 2015-03-16
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.
6385 CVE-2014-6503 2014-10-15 2015-03-17
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532.
6386 CVE-2014-6485 2014-10-15 2015-02-20
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 8u20 and JavaFX 2.2.65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
6387 CVE-2014-6467 2014-10-15 2015-11-06
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6453, CVE-2014-6545, and CVE-2014-6560.
6388 CVE-2014-6456 2014-10-15 2015-03-16
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
6389 CVE-2014-6455 2014-10-15 2015-11-13
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in the SQLJ component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
6390 CVE-2014-6453 2014-10-15 2015-11-17
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in the Java VM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2014-6467, CVE-2014-6545, and CVE-2014-6560.
6391 CVE-2014-6436 287 Exec Code Bypass 2018-01-12 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.
6392 CVE-2014-6434 78 Exec Code 2014-10-07 2014-10-08
10.0
None Remote Low Not required Complete Complete Complete
gpExec in GoPro HERO 3+ allows remote attackers to execute arbitrary commands via a the (1) a1 or (2) a2 parameter in a restart action.
6393 CVE-2014-6433 94 2014-10-07 2014-10-08
10.0
None Remote Low Not required Complete Complete Complete
gpExec in GoPro HERO 3+ allows remote attackers to execute arbitrary files via a the (1) a1 or (2) a2 parameter in a start action.
6394 CVE-2014-6376 20 DoS Exec Code Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6329.
6395 CVE-2014-6375 20 DoS Exec Code Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
6396 CVE-2014-6374 119 DoS Exec Code Overflow Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
6397 CVE-2014-6373 20 DoS Exec Code Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
6398 CVE-2014-6369 20 DoS Exec Code Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
6399 CVE-2014-6366 119 DoS Exec Code Overflow Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
6400 CVE-2014-6364 Exec Code 2014-12-10 2018-10-30
9.3
None Remote Medium Not required Complete Complete Complete
Use-after-free vulnerability in Microsoft Office 2007 SP3; 2010 SP2; 2013 Gold, SP1, and SP2; and 2013 RT Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability."
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.