# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
38351 |
CVE-2014-9350 |
19 |
1
|
DoS |
2014-12-08 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm. |
38352 |
CVE-2014-9349 |
79 |
1
|
XSS |
2014-12-08 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in admin/robots.lib.php in RobotStats 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) nom or (2) user_agent parameter to admin/robots.php. |
38353 |
CVE-2014-9346 |
79 |
|
XSS |
2014-12-08 |
2017-09-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields. |
38354 |
CVE-2014-9344 |
352 |
|
CSRF |
2014-12-08 |
2017-09-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in Snowfox CMS before 1.0.10 allows remote attackers to hijack the authentication of administrators for requests that add a new admin account via a submit action in the admin/accounts/create uri to snowfox/. |
38355 |
CVE-2014-9343 |
|
|
|
2014-12-08 |
2017-09-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in modules/system/controller/selectlanguage.class.php in Snowfox CMS 1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the rd parameter in a submit action to snowfox/. |
38356 |
CVE-2014-9342 |
79 |
|
XSS |
2014-12-08 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the tree view (pl_tree.php) feature in Application Security Manager (ASM) in F5 BIG-IP 11.3.0 allows remote attackers to inject arbitrary web script or HTML by accessing a crafted URL during automatic policy generation. |
38357 |
CVE-2014-9341 |
352 |
|
XSS CSRF |
2014-12-19 |
2014-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the yURL ReTwitt plugin 1.4 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) yurl_login or (2) yurl_anchor parameter in the yurl page to wp-admin/options-general.php. |
38358 |
CVE-2014-9340 |
352 |
|
XSS CSRF |
2014-12-19 |
2014-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the wpCommentTwit plugin 0.5 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) username or (2) password parameter in the wpCommentTwit.php page to wp-admin/options-general.php. |
38359 |
CVE-2014-9339 |
352 |
|
XSS CSRF |
2014-12-19 |
2014-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the SPNbabble plugin 1.4.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) username or (2) password parameter in the spnbabble.php page to wp-admin/options-general.php. |
38360 |
CVE-2014-9338 |
352 |
|
XSS CSRF |
2014-12-19 |
2014-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the O2Tweet plugin 0.0.4 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) o2t_username or (2) o2t_tags parameter to wp-admin/options-general.php. |
38361 |
CVE-2014-9337 |
352 |
|
XSS CSRF |
2014-12-19 |
2014-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Mikiurl Wordpress Eklentisi plugin 2.0 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) twitter_kullanici or (2) twitter_sifre parameter in a kaydet action in the mikiurl.php page to wp-admin/options-general.php. |
38362 |
CVE-2014-9336 |
352 |
|
XSS CSRF |
2014-12-19 |
2014-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the iTwitter plugin 0.04 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) itex_t_twitter_username or (2) itex_t_twitter_userpass parameter in the iTwitter.php page to wp-admin/options-general.php. |
38363 |
CVE-2014-9335 |
352 |
|
XSS CSRF |
2014-12-19 |
2017-09-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the DandyID Services plugin 1.5.9 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) email_address or (2) sidebarTitle parameter in the dandyid-services.php page to wp-admin/options-general.php. |
38364 |
CVE-2014-9334 |
352 |
|
XSS CSRF |
2014-12-24 |
2017-09-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Bird Feeder plugin 1.2.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) user or (2) password parameter in the bird-feeder page to wp-admin/options-general.php. |
38365 |
CVE-2014-9331 |
352 |
1
|
CSRF |
2015-02-04 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do. |
38366 |
CVE-2014-9330 |
189 |
|
DoS Overflow |
2015-01-20 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read. |
38367 |
CVE-2014-9326 |
|
|
|
2015-05-12 |
2017-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The automatic signature update functionality in the (1) Phone Home feature in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller 11.5.0 through 11.6.0, ASM 10.0.0 through 11.6.0, and PEM 11.3.0 through 11.6.0 and the (2) Call Home feature in ASM 10.0.0 through 11.6.0 and PEM 11.3.0 through 11.6.0 does not properly validate server SSL certificates, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. |
38368 |
CVE-2014-9325 |
79 |
|
XSS |
2014-12-31 |
2015-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences. |
38369 |
CVE-2014-9324 |
264 |
|
|
2014-12-19 |
2017-01-02 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. |
38370 |
CVE-2014-9323 |
|
|
DoS |
2014-12-16 |
2019-04-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status. |
38371 |
CVE-2014-9319 |
119 |
|
DoS Overflow |
2014-12-09 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted .bit file. |
38372 |
CVE-2014-9312 |
434 |
|
|
2017-08-28 |
2019-07-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. |
38373 |
CVE-2014-9311 |
79 |
|
XSS |
2015-04-14 |
2015-04-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in admin.php in the Shareaholic plugin before 7.6.1.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the location[id] parameter in a shareaholic_add_location action to wp-admin/admin-ajax.php. |
38374 |
CVE-2014-9310 |
79 |
|
XSS |
2017-06-07 |
2017-06-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the WordPress Backup to Dropbox plugin before 4.1 for WordPress. |
38375 |
CVE-2014-9308 |
|
1
|
Exec Code |
2015-01-15 |
2015-01-16 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/. |
38376 |
CVE-2014-9305 |
89 |
1
|
Exec Code Sql |
2014-12-08 |
2014-12-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_products_table action to wp-admin/admin-ajax.php. |
38377 |
CVE-2014-9302 |
|
|
|
2014-12-07 |
2014-12-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Server-side request forgery (SSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition 5.0.a and earlier allows remote attackers to trigger outbound requests via a crafted URI in the url parameter. |
38378 |
CVE-2014-9301 |
|
|
|
2014-12-07 |
2015-02-17 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter. |
38379 |
CVE-2014-9300 |
352 |
|
CSRF |
2014-12-07 |
2015-02-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition before 5.0.a allows remote attackers to hijack the authentication of users for requests that access unauthorized URLs and obtain user credentials via a URL in the url parameter. |
38380 |
CVE-2014-9296 |
17 |
|
|
2014-12-19 |
2017-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets. |
38381 |
CVE-2014-9292 |
|
|
|
2014-12-05 |
2014-12-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Server-side request forgery (SSRF) vulnerability in proxy.php in the jRSS Widget plugin 1.2 and earlier for WordPress allows remote attackers to trigger outbound requests and enumerate open ports via the url parameter. |
38382 |
CVE-2014-9283 |
|
|
Bypass |
2015-03-03 |
2015-03-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. |
38383 |
CVE-2014-9282 |
22 |
|
Dir. Trav. |
2015-02-24 |
2015-02-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Directory traversal vulnerability in the Speed Root Explorer application before 3.2 for Android and the Speed Explorer application before 2.2 for Android allows remote attackers to write to arbitrary files via a crafted filename. |
38384 |
CVE-2014-9281 |
79 |
|
XSS |
2014-12-09 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field. |
38385 |
CVE-2014-9279 |
200 |
|
+Info |
2014-12-08 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL. |
38386 |
CVE-2014-9278 |
287 |
|
Bypass |
2014-12-06 |
2017-09-07 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login. |
38387 |
CVE-2014-9276 |
352 |
|
XSS CSRF |
2015-01-04 |
2015-01-06 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview. |
38388 |
CVE-2014-9273 |
119 |
|
Exec Code Overflow +Priv |
2014-12-08 |
2018-10-30 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
lib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary code and gain privileges via a small hive files, which triggers an out-of-bounds read or write. |
38389 |
CVE-2014-9272 |
79 |
|
XSS |
2015-01-09 |
2017-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol. |
38390 |
CVE-2014-9271 |
79 |
|
XSS |
2015-01-09 |
2017-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename. |
38391 |
CVE-2014-9270 |
79 |
|
XSS |
2014-12-08 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field. |
38392 |
CVE-2014-9269 |
79 |
|
XSS |
2015-01-09 |
2017-01-02 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie. |
38393 |
CVE-2014-9268 |
20 |
|
Exec Code |
2014-12-08 |
2015-12-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The AdView.AdViewer.1 ActiveX control in Autodesk Design Review (ADR) before 2013 Hotfix 1 allows remote attackers to execute arbitrary code via a crafted DWF file. |
38394 |
CVE-2014-9267 |
119 |
|
Exec Code Overflow |
2014-12-08 |
2014-12-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Heap-based buffer overflow in the PTC IsoView ActiveX control allows remote attackers to execute arbitrary code via a crafted ViewPort property value. |
38395 |
CVE-2014-9266 |
94 |
|
Exec Code |
2014-12-08 |
2014-12-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The STWConfig ActiveX control in Samsung SmartViewer does not properly initialize a variable, which allows remote attackers to execute arbitrary code via unspecified vectors. |
38396 |
CVE-2014-9265 |
119 |
|
Exec Code Overflow |
2014-12-08 |
2014-12-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Stack-based buffer overflow in the BackupToAvi method in the CNC_Ctrl ActiveX control in Samsung SmartViewer allows remote attackers to execute arbitrary code via unspecified vectors. |
38397 |
CVE-2014-9263 |
119 |
|
Exec Code Overflow |
2014-12-08 |
2014-12-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple buffer overflows in the PocketNetNVRMediaClientAxCtrl.NVRMediaViewer.1 control in 3S Pocketnet Tech VMS allow remote attackers to execute arbitrary code via a crafted string to the (1) StartRecord, (2) StartRecordEx, (3) StartScheduledRecord, (4) SetDisplayText, (5) GetONVIFDeviceInformation, (6) GetONVIFProfiles, or (7) GetONVIFStreamUri method or a crafted filename to the (8) SaveCurrentImage or (9) SaveCurrentImageEx method. |
38398 |
CVE-2014-9262 |
264 |
|
|
2017-08-07 |
2017-08-15 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
The Duplicator plugin in Wordpress before 0.5.10 allows remote authenticated users to create and download backup files. |
38399 |
CVE-2014-9261 |
22 |
1
|
Dir. Trav. |
2015-03-23 |
2015-03-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The sanitize function in Codoforum 2.5.1 does not properly implement filtering for directory traversal sequences, which allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to index.php. |
38400 |
CVE-2014-9260 |
264 |
|
|
2017-08-07 |
2017-08-15 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
The basic_settings function in the download manager plugin for WordPress before 2.7.3 allows remote authenticated users to update every WordPress option. |