| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
38701 |
CVE-2014-8604 |
200 |
|
+Info |
2015-06-10 |
2015-06-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
38702 |
CVE-2014-8603 |
20 |
|
Exec Code |
2015-06-10 |
2015-06-11 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to execute arbitrary code via shell metacharacters in the (1) file name when creating a backup or vectors related to the (2) $_CONFIG[tarpath], (3) $exclude, (4) $_CONFIG['tarcompress'], (5) $_CONFIG['filename'], (6) $_CONFIG['exfile_tar'], (7) $_CONFIG[sqldump], (8) $_CONFIG['mysql_host'], (9) $_CONFIG['mysql_pass'], (10) $_CONFIG['mysql_user'], (11) $database_name, or (12) $sqlfile variable. |
|
38703 |
CVE-2014-8602 |
399 |
|
DoS |
2014-12-10 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals. |
|
38704 |
CVE-2014-8601 |
399 |
|
DoS |
2014-12-10 |
2016-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it. |
|
38705 |
CVE-2014-8600 |
79 |
|
XSS |
2014-12-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.14.3 and earlier, kwebkitpart 1.3.4 and earlier, and kio-extras 5.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via a crafted URI using the (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar scheme, which is not properly handled in an error message. |
|
38706 |
CVE-2014-8598 |
19 |
|
Exec Code +Info |
2014-11-18 |
2017-09-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. |
|
38707 |
CVE-2014-8595 |
17 |
|
DoS +Priv |
2014-11-19 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. |
|
38708 |
CVE-2014-8594 |
20 |
|
DoS |
2014-11-19 |
2018-10-30 |
5.4 |
None |
Remote |
High |
Not required |
None |
None |
Complete |
|
The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP). |
|
38709 |
CVE-2014-8593 |
79 |
|
XSS |
2014-11-04 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Allomani Weblinks 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) default URI to admin.php or the (2) id parameter to admin.php or (3) go.php. |
|
38710 |
CVE-2014-8592 |
|
|
DoS |
2014-11-04 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in SAP Host Agent, as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via a crafted request. |
|
38711 |
CVE-2014-8591 |
|
|
DoS |
2014-11-04 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in SAP Internet Communication Manager (ICM), as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via unknown vectors. |
|
38712 |
CVE-2014-8590 |
|
|
|
2014-11-04 |
2018-12-10 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
XML external entity (XXE) vulnerability in the Web Service Navigator in SAP NetWeaver Application Server (AS) Java allows remote attackers to access arbitrary files via a crafted request. |
|
38713 |
CVE-2014-8589 |
189 |
|
DoS Overflow |
2014-11-04 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in SAP Network Interface Router (SAProuter) 40.4 allows remote attackers to cause a denial of service (resource consumption) via crafted requests. |
|
38714 |
CVE-2014-8585 |
59 |
|
Dir. Trav. |
2014-11-04 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php. |
|
38715 |
CVE-2014-8584 |
79 |
|
XSS |
2014-11-04 |
2014-12-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web Dorado Spider Video Player (aka WordPress Video Player) plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
38716 |
CVE-2014-8583 |
254 |
|
+Priv |
2014-12-16 |
2017-06-30 |
6.9 |
Admin |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors. |
|
38717 |
CVE-2014-8582 |
|
|
|
2014-11-01 |
2017-09-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
FortiNet FortiADC-E with firmware 3.1.1 before 4.0.5 and Coyote Point Equalizer with firmware 10.2.0a allows remote attackers to obtain access to arbitrary subnets via unspecified vectors. |
|
38718 |
CVE-2014-8580 |
264 |
|
|
2014-11-07 |
2017-09-07 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Citrix NetScaler Application Delivery Controller and NetScaler Gateway 10.5.50.10 before 10.5-52.11, 10.1.122.17 before 10.1-129.11, and 10.1-120.1316.e before 10.1-129.1105.e, when using unspecified configurations, allows remote authenticated users to access "network resources" of other users via unknown vectors. |
|
38719 |
CVE-2014-8578 |
79 |
|
XSS |
2014-10-31 |
2014-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475. |
|
38720 |
CVE-2014-8577 |
79 |
1
|
XSS |
2014-10-31 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) data[Block][alias] parameter to admin/blocks/blocks/edit page; (4) data[Region][title] parameter to admin/blocks/regions/add page; (5) data[Menu][title] or (6) data[Menu][alias] parameter to admin/menus/menus/add page; or (7) data[Link][title] parameter to admin/menus/links/add/menu page. |
|
38721 |
CVE-2014-8571 |
264 |
|
+Info |
2017-04-02 |
2017-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Apps on Huawei Ascend P6 mobile phones with software EDGE-U00 V100R001C17B508SP01 and earlier versions before V100R001C17B508SP02; EDGE-T00 V100R001C01B508SP01 and earlier versions before V100R001C01B508SP02; EDGE-C00 V100R001C92B508SP02 and earlier versions before V100R001C92B508SP03 can capture screens without the root permission. As a result, user information can be leaked by malware on Ascend P6 mobile phones. |
|
38722 |
CVE-2014-8570 |
200 |
|
+Info |
2017-04-02 |
2017-04-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Huawei S9300, S9303, S9306, S9312 with software V100R002; S7700, S7703, S7706, S7712 with software V100R003, V100R006, V200R001, V200R002, V200R003, V200R005; S9300E, S9303E, S9306E, S9312E with software V200R001; S9700, S9703, S9706, S9712 with software V200R002, V200R003, V200R005; S12708, S12712 with software V200R005; 5700HI, 5300HI with software V100R006, V200R001, V200R002, V200R003, V200R005; 5710EI, 5310EI with software V200R002, V200R003, V200R005; 5710HI, 5310HI with software V200R003, V200R005; 6700EI, 6300EI with software V200R005 could cause a leak of IP addresses of devices, related to unintended interface support for VRP MPLS LSP Ping. |
|
38723 |
CVE-2014-8566 |
200 |
|
DoS Overflow +Info |
2014-11-15 |
2015-11-20 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory." |
|
38724 |
CVE-2014-8564 |
310 |
|
DoS |
2014-11-13 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs. |
|
38725 |
CVE-2014-8562 |
125 |
|
DoS |
2017-04-11 |
2017-04-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
DCM decode in ImageMagick before 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds read). |
|
38726 |
CVE-2014-8559 |
399 |
|
DoS |
2014-11-10 |
2019-04-08 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application. |
|
38727 |
CVE-2014-8558 |
264 |
|
Bypass |
2014-11-25 |
2014-11-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
JExperts Channel Platform 5.0.33_CCB allows remote authenticated users to bypass access restrictions via crafted action and key parameters. |
|
38728 |
CVE-2014-8557 |
79 |
|
XSS |
2014-11-13 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in JExperts Channel Platform 5.0.33_CCB allow remote attackers to inject arbitrary web script or HTML via the (1) usuario.nome variable in an editarUsuario action to usuario.do or (2) titulo.form variable in a novoChamado action to ticket.do. |
|
38729 |
CVE-2014-8555 |
22 |
1
|
Dir. Trav. |
2014-11-12 |
2015-10-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in report/reportViewAction.jsp in Progress Software OpenEdge 11.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the selection parameter. |
|
38730 |
CVE-2014-8553 |
200 |
|
+Info |
2014-12-17 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. |
|
38731 |
CVE-2014-8552 |
200 |
|
+Info |
2014-11-26 |
2014-11-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets. |
|
38732 |
CVE-2014-8540 |
264 |
|
|
2018-01-05 |
2018-01-18 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authenticated guest users to modify ownership of arbitrary groups by leveraging improper permission checks. |
|
38733 |
CVE-2014-8539 |
79 |
|
XSS |
2014-11-21 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Simple Email Form 1.8.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the mod_simpleemailform_field2_1 parameter to index.php. |
|
38734 |
CVE-2014-8538 |
310 |
|
+Info |
2014-10-29 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Hijab Modern (aka com.Aisyaidea.HijabModern) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
38735 |
CVE-2014-8537 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading the logs. |
|
38736 |
CVE-2014-8536 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages. |
|
38737 |
CVE-2014-8535 |
|
|
Bypass |
2014-10-29 |
2014-10-30 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to bypass intended restriction on unspecified functionality via unknown vectors. |
|
38738 |
CVE-2014-8534 |
|
|
DoS |
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the login form in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to cause a denial of service via a crafted value in the domain field. |
|
38739 |
CVE-2014-8532 |
|
|
+Info |
2014-10-29 |
2014-10-30 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
Unspecified vulnerability in McAfee Network Data Loss Prevention before (NDLP) before 9.3 allows local users to obtain sensitive information and impact integrity via unknown vectors, related to partition mounting. |
|
38740 |
CVE-2014-8531 |
310 |
|
Exec Code |
2014-10-29 |
2017-09-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The TLS/SSL Server in McAfee Network Data Loss Prevention (NDLP) before 9.3 uses weak cipher algorithms, which makes it easier for remote authenticated users to execute arbitrary code via unspecified vectors. |
|
38741 |
CVE-2014-8529 |
310 |
|
+Info |
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH key in cleartext, which allows local users to obtain sensitive information via unspecified vectors. |
|
38742 |
CVE-2014-8528 |
200 |
|
+Info |
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs, which allows local users to obtain sensitive information by reading the audit log. |
|
38743 |
CVE-2014-8527 |
255 |
|
+Info |
2014-10-29 |
2014-10-30 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information and affect integrity via vectors related to a "plain text password." |
|
38744 |
CVE-2014-8526 |
200 |
|
+Info |
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information by reading a Java stack trace. |
|
38745 |
CVE-2014-8525 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
38746 |
CVE-2014-8524 |
200 |
|
+Info |
2014-10-29 |
2014-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable the autocomplete setting for the password and other fields, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
38747 |
CVE-2014-8523 |
352 |
|
CSRF |
2014-10-29 |
2014-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
38748 |
CVE-2014-8521 |
352 |
|
XSS |
2014-10-29 |
2014-10-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
38749 |
CVE-2014-8520 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information via vectors related to open network ports. |
|
38750 |
CVE-2014-8519 |
|
|
|
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to read arbitrary files via unknown vectors. |
