CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 9 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6451 CVE-2014-9583 264 1 Exec Code Bypass 2015-01-08 2018-04-26
10.0
None Remote Low Not required Complete Complete Complete
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
6452 CVE-2014-9574 22 Dir. Trav. 2015-02-03 2017-09-07
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in install.php in FluxBB before 1.5.8 allows remote attackers to include and execute arbitrary local install.php files via a .. (dot dot) in the install_lang parameter.
6453 CVE-2014-9496 119 Overflow 2015-01-16 2019-04-11
10.0
None Remote Low Not required Complete Complete Complete
The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.
6454 CVE-2014-9495 119 Exec Code Overflow 2015-01-10 2016-10-17
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.
6455 CVE-2014-9488 119 Overflow 2015-04-14 2018-10-30
10.0
None Remote Low Not required Complete Complete Complete
The is_utf8_well_formed function in GNU less before 475 allows remote attackers to have unspecified impact via malformed UTF-8 characters, which triggers an out-of-bounds read.
6456 CVE-2014-9463 94 Exec Code 2017-09-15 2017-09-29
9.0
None Remote Low Single system Complete Complete Complete
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
6457 CVE-2014-9458 119 Overflow 2015-01-02 2019-04-15
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the GDB debugger module in Hex-Rays IDA Pro before 6.6 cumulative fix 2014-12-24 allows remote GDB servers to have unspecified impact via unknown vectors.
6458 CVE-2014-9456 119 1 Overflow 2015-01-02 2019-04-15
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. NOTE: this issue was originally incorrectly mapped to CVE-2014-1004; see CVE-2014-1004 for more information.
6459 CVE-2014-9421 DoS Exec Code 2015-02-19 2017-01-02
9.0
None Remote Low Single system Complete Complete Complete
The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.
6460 CVE-2014-9411 118 2017-08-18 2017-08-23
10.0
None Remote Low Not required Complete Complete Complete
In all Qualcomm products with Android releases from CAF using the Linux kernel, the use of an out-of-range pointer offset is potentially possible in rollback protection.
6461 CVE-2014-9406 255 2014-12-18 2014-12-18
10.0
Admin Remote Low Not required Complete Complete Complete
ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php.
6462 CVE-2014-9387 264 +Priv 2014-12-17 2018-10-09
10.0
User Remote Low Not required Complete Complete Complete
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905.
6463 CVE-2014-9375 22 Dir. Trav. 2015-02-16 2015-02-17
9.0
None Remote Low Single system Complete Complete Complete
Directory traversal vulnerability in the LibraryFileUploadServlet servlet in Lexmark Markvision Enterprise allows remote authenticated users to write to and execute arbitrary files via a .. (dot dot) in a file path in a ZIP archive.
6464 CVE-2014-9373 22 Exec Code Dir. Trav. 2014-12-16 2014-12-17
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. (dot dot) in the filename.
6465 CVE-2014-9371 20 Exec Code 2014-12-16 2015-03-06
10.0
None Remote Low Not required Complete Complete Complete
The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
6466 CVE-2014-9357 264 Exec Code 2014-12-16 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
6467 CVE-2014-9353 264 +Priv 2015-02-06 2015-02-06
10.0
None Remote Low Not required Complete Complete Complete
NetApp OnCommand Balance before 4.2P2 contains a "default privileged account," which allows remote attackers to gain privileges via unspecified vectors.
6468 CVE-2014-9223 119 DoS Exec Code Overflow 2014-12-24 2016-09-06
10.0
None Remote Low Not required Complete Complete Complete
Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization.
6469 CVE-2014-9222 17 +Priv Mem. Corr. 2014-12-24 2018-08-31
10.0
None Remote Low Not required Complete Complete Complete
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.
6470 CVE-2014-9208 119 Exec Code Overflow 2015-09-11 2017-09-15
10.0
None Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in unspecified DLL files in Advantech WebAccess before 8.0.1 allow remote attackers to execute arbitrary code via unknown vectors.
6471 CVE-2014-9198 255 2015-01-27 2019-04-15
10.0
None Remote Low Not required Complete Complete Complete
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.
6472 CVE-2014-9196 254 2015-07-19 2016-11-28
9.3
None Remote Medium Not required Complete Complete Complete
Eaton Cooper Power Systems ProView 4.0 and 5.0 before 5.0 11 on Form 6 controls and Idea and IdeaPLUS relays generates TCP initial sequence number (ISN) values linearly, which makes it easier for remote attackers to spoof TCP sessions by predicting an ISN value.
6473 CVE-2014-9193 264 2014-12-19 2014-12-22
9.0
Admin Remote Low Single system Complete Complete Complete
Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting.
6474 CVE-2014-9190 119 Exec Code Overflow 2015-01-09 2015-01-12
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in Schneider Electric Wonderware InTouch Access Anywhere Server 10.6 and 11.0 allows remote attackers to execute arbitrary code via a request for a filename that does not exist.
6475 CVE-2014-9189 119 DoS Exec Code Overflow Mem. Corr. 2019-03-25 2019-04-09
10.0
None Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
6476 CVE-2014-9188 119 Exec Code Overflow 2014-12-27 2014-12-29
9.0
None Remote Low Not required Complete Partial Partial
Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514. NOTE: this may be clarified later based on details provided by researchers.
6477 CVE-2014-9183 255 +Priv 2014-12-02 2014-12-03
10.0
User Remote Low Not required Complete Complete Complete
ZTE ZXDSL 831CII has a default password of admin for the admin account, which allows remote attackers to gain administrator privileges.
6478 CVE-2014-9165 Exec Code 2014-12-10 2014-12-11
10.0
None Remote Low Not required Complete Complete Complete
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8454 and CVE-2014-8455.
6479 CVE-2014-9164 94 DoS Exec Code Mem. Corr. 2014-12-10 2018-12-20
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0587.
6480 CVE-2014-9163 Exec Code Overflow 2014-12-10 2018-12-20
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in December 2014.
6481 CVE-2014-9162 200 +Info 2014-12-10 2018-12-20
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors.
6482 CVE-2014-9161 119 DoS Overflow 2015-01-30 2017-01-02
9.3
None Remote Medium Not required Complete Complete Complete
CoolType.dll in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows, and 10.x through 10.1.13 and 11.x through 11.0.10 on OS X, allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted PDF document.
6483 CVE-2014-9160 119 Exec Code Overflow 2015-05-13 2017-01-02
10.0
None Remote Low Not required Complete Complete Complete
Multiple heap-based buffer overflows in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to execute arbitrary code via unknown vectors.
6484 CVE-2014-9159 Exec Code Overflow 2014-12-10 2014-12-11
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8457 and CVE-2014-8460.
6485 CVE-2014-9158 94 DoS Exec Code Mem. Corr. 2014-12-10 2014-12-11
10.0
None Remote Low Not required Complete Complete Complete
Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, and CVE-2014-8461.
6486 CVE-2014-9134 Exec Code 2014-12-03 2014-12-05
10.0
None Remote Low Not required Complete Complete Complete
Unrestricted file upload vulnerability in Huawei Honor Cube Wireless Router WS860s before V100R001C02B222 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
6487 CVE-2014-9118 77 Exec Code 2017-10-17 2018-10-09
9.0
None Remote Low Single system Complete Complete Complete
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
6488 CVE-2014-9002 264 Exec Code 2014-11-20 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
Lantronix xPrintServer does not properly restrict access to ips/, which allows remote attackers to execute arbitrary commands via the c parameter in an rpc action.
6489 CVE-2014-8966 20 DoS Exec Code Mem. Corr. 2014-12-10 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
6490 CVE-2014-8891 Exec Code 2015-03-06 2019-07-16
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors related to the security manager.
6491 CVE-2014-8888 77 Exec Code 2018-04-12 2018-05-18
10.0
None Remote Low Not required Complete Complete Complete
The remote administration interface in D-Link DIR-815 devices with firmware before 2.03.B02 allows remote attackers to execute arbitrary commands via vectors related to an "HTTP command injection issue."
6492 CVE-2014-8886 310 Exec Code 2016-01-08 2018-10-09
9.3
None Remote Medium Not required Complete Complete Complete
AVM FRITZ!OS before 6.30 extracts the contents of firmware updates before verifying their cryptographic signature, which allows remote attackers to create symlinks or overwrite critical files, and consequently execute arbitrary code, via a crafted firmware image.
6493 CVE-2014-8877 94 Exec Code 2014-12-05 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function.
6494 CVE-2014-8873 20 Exec Code 2015-11-09 2015-11-10
10.0
None Remote Low Not required Complete Complete Complete
A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8u1 includes a MIME type registration that is added to /etc/mailcap by mime-support, which allows remote attackers to execute arbitrary code via a JAR file.
6495 CVE-2014-8872 94 2017-08-28 2018-10-09
9.3
None Remote Medium Not required Complete Complete Complete
Improper Verification of Cryptographic Signature in AVM FRITZ!Box 6810 LTE after firmware 5.22, FRITZ!Box 6840 LTE after firmware 5.23, and other models with firmware 5.50.
6496 CVE-2014-8837 Exec Code 2015-01-30 2017-09-07
9.3
None Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the Bluetooth driver in Apple OS X before 10.10.2 allow attackers to execute arbitrary code in a privileged context via a crafted app.
6497 CVE-2014-8836 20 DoS Exec Code 2015-01-30 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (arbitrary-size bzero of kernel memory) via a crafted app.
6498 CVE-2014-8835 19 1 Exec Code 2015-01-30 2017-09-07
9.3
None Remote Medium Not required Complete Complete Complete
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.
6499 CVE-2014-8824 20 Exec Code 2015-01-30 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
The kernel in Apple OS X before 10.10.2 does not properly validate IODataQueue object metadata fields, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
6500 CVE-2014-8822 19 DoS Exec Code 2015-01-30 2017-09-07
10.0
None Remote Low Not required Complete Complete Complete
IOHIDFamily in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a kernel context or cause a denial of service (write to kernel memory) via a crafted app that calls an unspecified user-client method.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.