CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
17251 CVE-2014-5392 DoS 2014-09-23 2018-10-09
5.8
None Remote Medium Not required Partial None Partial
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.
17252 CVE-2014-5386 310 2014-12-28 2014-12-30
5.0
None Remote Low Not required None Partial None
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initialization vector.
17253 CVE-2014-5385 287 2014-08-21 2018-10-09
5.0
None Remote Low Not required None Partial None
com/salesmanager/central/profile/ProfileAction.java in Shopizer 1.1.5 and earlier does not restrict the number of authentication attempts, which makes it easier for remote attackers to guess passwords via a brute force attack.
17254 CVE-2014-5384 119 DoS Overflow 2014-08-21 2014-08-21
5.0
None Remote Low Not required None None Partial
The VIQR module in the iconv implementation in FreeBSD 10.0 before p6 and NetBSD allows context-dependent attackers to cause a denial of service (out-of-bounds array access) via a crafted argument to the iconv_open function. NOTE: this issue was SPLIT from CVE-2014-3951 per ADT2 due to different vulnerability types.
17255 CVE-2014-5381 522 2020-01-13 2020-01-15
5.0
None Remote Low Not required Partial None None
Grand MA 300 allows a brute-force attack on the PIN.
17256 CVE-2014-5380 319 2020-01-13 2020-01-23
5.0
None Remote Low Not required Partial None None
Grand MA 300 allows retrieval of the access PIN from sniffed data.
17257 CVE-2014-5377 200 1 +Info 2014-09-04 2018-10-09
5.0
None Remote Low Not required Partial None None
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
17258 CVE-2014-5368 22 Dir. Trav. 2014-08-22 2017-09-08
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
17259 CVE-2014-5355 DoS 2015-02-20 2020-01-21
5.0
None Remote Low Not required None None Partial
MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.
17260 CVE-2014-5350 22 Dir. Trav. 2014-08-19 2014-08-20
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server.
17261 CVE-2014-5349 119 1 DoS Overflow 2014-08-19 2014-08-20
5.0
None Remote Low Not required None None Partial
Stack-based buffer overflow in Baidu Spark Browser 26.5.9999.3511 allows remote attackers to cause a denial of service (application crash) via nested calls to the window.print JavaScript function.
17262 CVE-2014-5337 264 +Info 2014-08-29 2018-11-19
5.0
None Remote Low Not required Partial None None
The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not properly restrict access to password protected posts, which allows remote attackers to obtain sensitive information via an exportarticles action to export/content.php.
17263 CVE-2014-5325 200 +Info 2014-11-24 2016-11-28
5.0
None Remote Low Not required Partial None None
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
17264 CVE-2014-5323 310 +Info 2014-09-24 2014-10-04
5.4
None Local Network Medium Not required Partial Partial Partial
The Yuko Yuko (aka jp.co.yukoyuko.android.yukoyuko_android) application 1.0.5 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
17265 CVE-2014-5321 310 +Info 2014-09-22 2014-09-22
5.8
None Remote Medium Not required Partial Partial None
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319.
17266 CVE-2014-5320 200 +Info 2014-09-22 2014-09-22
5.0
None Remote Low Not required Partial None None
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.
17267 CVE-2014-5318 264 Bypass 2014-09-26 2017-01-07
5.8
None Remote Medium Not required Partial Partial None
The jigbrowser+ application 1.8.1 and earlier for iOS allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.
17268 CVE-2014-5300 287 1 Exec Code Bypass 2014-10-08 2018-10-09
5.0
None Remote Low Not required None Partial None
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature.
17269 CVE-2014-5298 264 Bypass 2014-10-10 2018-10-09
5.0
None Remote Low Not required None None Partial
FileUploadsFilter.php in X2Engine 4.1.7 and earlier, when running on case-insensitive file systems, allows remote attackers to bypass the upload blacklist and conduct unrestricted file upload attacks by uploading a file with an executable extension that contains uppercase letters, as demonstrated using a PHP program.
17270 CVE-2014-5282 20 2018-02-06 2019-04-29
5.5
None Remote Low ??? Partial Partial None
Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'.
17271 CVE-2014-5277 17 2014-11-17 2018-08-13
5.0
None Remote Low Not required Partial None None
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
17272 CVE-2014-5269 264 Bypass +Info 2014-09-04 2014-09-08
5.0
None Remote Low Not required Partial None None
Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to bypass the whitelist of generated files and obtain sensitive information via a crafted path, related to Plack::Middleware::Static.
17273 CVE-2014-5268 264 2014-12-01 2014-12-01
5.8
None Remote Medium Not required None Partial Partial
The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link.
17274 CVE-2014-5266 399 DoS 2014-08-18 2015-11-25
5.0
None Remote Low Not required None None Partial
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.
17275 CVE-2014-5265 399 DoS 2014-08-18 2015-11-25
5.0
None Remote Low Not required None None Partial
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
17276 CVE-2014-5256 119 DoS Overflow Mem. Corr. 2014-09-05 2015-05-12
5.0
None Remote Low Not required None None Partial
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
17277 CVE-2014-5236 22 Dir. Trav. 2020-01-31 2020-02-06
5.0
None Remote Low Not required Partial None None
Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file.
17278 CVE-2014-5209 200 +Info 2020-01-08 2020-01-24
5.0
None Remote Low Not required Partial None None
An Information Disclosure vulnerability exists in NTP 4.2.7p25 private (mode 6/7) messages via a GET_RESTRICT control message, which could let a malicious user obtain sensitive information.
17279 CVE-2014-5187 22 Dir. Trav. 2014-08-06 2014-08-07
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the Tom M8te (tom-m8te) plugin 1.5.3 for WordPress allows remote attackers to read arbitrary files via the file parameter to tom-download-file.php.
17280 CVE-2014-5181 22 Dir. Trav. 2014-08-06 2014-08-07
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in lastfm-proxy.php in the Last.fm Rotation (lastfm-rotation) plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the snode parameter.
17281 CVE-2014-5173 264 Bypass 2014-07-31 2018-10-09
5.0
None Remote Low Not required Partial None None
SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public.
17282 CVE-2014-5165 119 DoS Overflow 2014-08-01 2017-01-07
5.0
None Remote Low Not required None None Partial
The dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.10.x before 1.10.9 does not properly validate padding values, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet.
17283 CVE-2014-5164 119 DoS Overflow 2014-08-01 2017-01-07
5.0
None Remote Low Not required None None Partial
The rlc_decode_li function in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.10.x before 1.10.9 initializes a certain structure member only after this member is used, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
17284 CVE-2014-5163 119 DoS Overflow 2014-08-01 2017-01-07
5.0
None Remote Low Not required None None Partial
The APN decode functionality in (1) epan/dissectors/packet-gtp.c and (2) epan/dissectors/packet-gsm_a_gm.c in the GTP and GSM Management dissectors in Wireshark 1.10.x before 1.10.9 does not completely initialize a certain buffer, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
17285 CVE-2014-5162 119 DoS Overflow 2014-08-01 2017-01-07
5.0
None Remote Low Not required None None Partial
The read_new_line function in wiretap/catapult_dct2000.c in the Catapult DCT2000 dissector in Wireshark 1.10.x before 1.10.9 does not properly strip '\n' and '\r' characters, which allows remote attackers to cause a denial of service (off-by-one buffer underflow and application crash) via a crafted packet.
17286 CVE-2014-5161 119 DoS Overflow 2014-08-01 2017-01-07
5.0
None Remote Low Not required None None Partial
The dissect_log function in plugins/irda/packet-irda.c in the IrDA dissector in Wireshark 1.10.x before 1.10.9 does not properly strip '\n' characters, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet.
17287 CVE-2014-5138 Bypass 2020-01-14 2020-01-21
5.0
None Remote Low Not required None Partial None
Innovative Interfaces Sierra Library Services Platform 1.2_3 does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass parameter validation via unspecified vectors, possibly related to the Webpac Pro submodule.
17288 CVE-2014-5137 200 +Info 2014-09-02 2018-10-09
5.0
None Remote Low Not required Partial None None
Innovative Interfaces Sierra Library Services Platform 1.2_3 provides different responses for login request depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of login requests, possibly related to the Webpac Pro submodule.
17289 CVE-2014-5128 200 +Info 2014-08-29 2018-10-09
5.0
None Remote Low Not required Partial None None
Innovative Interfaces Encore Discovery Solution 4.3 places a session token in the URI, which might allow remote attackers to obtain sensitive information via unspecified vectors.
17290 CVE-2014-5127 2014-08-29 2018-10-09
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in Innovative Interfaces Encore Discovery Solution 4.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter.
17291 CVE-2014-5122 2014-08-22 2018-10-09
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login.
17292 CVE-2014-5117 2014-07-30 2017-01-07
5.8
None Remote Medium Not required Partial Partial None
Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern of RELAY and RELAY_EARLY cells as a means of communicating information about hidden service names.
17293 CVE-2014-5116 1 DoS 2014-07-29 2014-07-30
5.0
None Remote Low Not required None None Partial
The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string.
17294 CVE-2014-5115 22 1 Dir. Trav. 2014-07-29 2014-08-27
5.0
None Remote Low Not required Partial None None
Absolute path traversal vulnerability in DirPHP 1.0 allows remote attackers to read arbitrary files via a full pathname in the phpfile parameter to index.php.
17295 CVE-2014-5111 22 Dir. Trav. 2014-07-28 2014-07-29
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/.
17296 CVE-2014-5107 200 +Info 2014-07-28 2017-11-20
5.0
None Remote Low Not required Partial None None
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permissions/tasks.php, (9) system/permissions/users.php, (10) system/seo/view.php, (11) view.php, (12) users/attributes.php, (13) scrapbook/view.php, (14) pages/attributes.php, (15) files/attributes.php, or (16) files/search.php in single_pages/dashboard/.
17297 CVE-2014-5094 200 +Info 2014-10-20 2017-08-29
5.0
None Remote Low Not required Partial None None
Status2k allows remote attackers to obtain configuration information via a phpinfo action in a request to status/index.php, which calls the phpinfo function.
17298 CVE-2014-5093 522 2020-01-10 2020-01-14
5.0
None Remote Low Not required None Partial None
Status2k does not remove the install directory allowing credential reset.
17299 CVE-2014-5068 22 Dir. Trav. 2018-01-11 2018-01-29
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the web application in Symmetricom s350i 2.70.15 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash) or (2) ..\ (dot dot forward slash) before a file name.
17300 CVE-2014-5032 264 +Info 2015-04-14 2015-04-15
5.0
None Remote Low Not required Partial None None
GLPI before 0.84.7 does not properly restrict access to cost information, which allows remote attackers to obtain sensitive information via the cost criteria in the search bar.
Total number of vulnerabilities : 22711   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 (This Page)347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.