# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
40951 |
CVE-2014-5391 |
79 |
|
XSS |
2014-09-11 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the JobScheduler Operations Center (JOC) in SOS JobScheduler before 1.6.4246 and 1.7.x before 1.7.4241 allows remote attackers to inject arbitrary web script or HTML via the hash property (location.hash). |
40952 |
CVE-2014-5388 |
119 |
|
Overflow Mem. Corr. +Info |
2014-11-15 |
2014-11-17 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption. |
40953 |
CVE-2014-5387 |
89 |
|
Exec Code Sql |
2014-11-04 |
2015-09-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php. |
40954 |
CVE-2014-5386 |
310 |
|
|
2014-12-28 |
2014-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initialization vector. |
40955 |
CVE-2014-5385 |
287 |
|
|
2014-08-21 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
com/salesmanager/central/profile/ProfileAction.java in Shopizer 1.1.5 and earlier does not restrict the number of authentication attempts, which makes it easier for remote attackers to guess passwords via a brute force attack. |
40956 |
CVE-2014-5384 |
119 |
|
DoS Overflow |
2014-08-21 |
2014-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The VIQR module in the iconv implementation in FreeBSD 10.0 before p6 and NetBSD allows context-dependent attackers to cause a denial of service (out-of-bounds array access) via a crafted argument to the iconv_open function. NOTE: this issue was SPLIT from CVE-2014-3951 per ADT2 due to different vulnerability types. |
40957 |
CVE-2014-5383 |
89 |
|
Exec Code Sql |
2014-08-21 |
2015-09-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
SQL injection vulnerability in AlienVault OSSIM before 4.7.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. |
40958 |
CVE-2014-5382 |
79 |
|
XSS |
2014-08-20 |
2014-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the web interface in Schrack Technik microControl with firmware 1.7.0 (937) allow remote attackers to inject arbitrary web script or HTML via the position textbox in the configuration menu or other unspecified vectors. |
40959 |
CVE-2014-5377 |
200 |
1
|
+Info |
2014-09-04 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request. |
40960 |
CVE-2014-5376 |
20 |
|
|
2014-10-08 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0, when a pre-generated key is used, does not validate that the requesting user matches the actor in the message, which allows remote authenticated users to impersonate arbitrary users via the actor field in a message. |
40961 |
CVE-2014-5375 |
20 |
|
|
2014-10-08 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
The server in Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 does not properly validate the message owner matches the submitting user, which allows remote authenticated users to impersonate arbitrary users via the UserId and Owner tags. |
40962 |
CVE-2014-5369 |
310 |
|
+Info |
2014-09-08 |
2016-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network. |
40963 |
CVE-2014-5368 |
22 |
|
Dir. Trav. |
2014-08-22 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter. |
40964 |
CVE-2014-5362 |
20 |
|
File Inclusion |
2017-09-19 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
The admin interface in Landesk Management Suite 9.6 and earlier allows remote attackers to conduct remote file inclusion attacks involving ASPX pages from third-party sites via the d parameter to (1) ldms/sm_actionfrm.asp or (2) remote/frm_coremainfrm.aspx; or the (3) top parameter to remote/frm_splitfrm.aspx. |
40965 |
CVE-2014-5361 |
352 |
|
CSRF |
2015-04-21 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in Landesk Management Suite 9.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) start, (2) stop, or (3) restart services via a request to remote/serverServices.aspx. |
40966 |
CVE-2014-5360 |
79 |
|
XSS |
2015-02-03 |
2016-04-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the admin interface in LANDESK Management Suite before 9.6 SP1 allows remote attackers to inject arbitrary web script or HTML via the AMTVersion parameter to remote/serverlist_grouptree.aspx. |
40967 |
CVE-2014-5356 |
264 |
|
DoS |
2014-08-25 |
2017-01-06 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image. |
40968 |
CVE-2014-5355 |
|
|
DoS |
2015-02-20 |
2018-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c. |
40969 |
CVE-2014-5354 |
|
|
DoS |
2014-12-16 |
2017-01-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command. |
40970 |
CVE-2014-5353 |
|
|
DoS |
2014-12-16 |
2018-02-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. |
40971 |
CVE-2014-5351 |
255 |
|
|
2014-10-09 |
2018-02-03 |
2.1 |
None |
Remote |
High |
Single system |
Partial |
None |
None |
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. |
40972 |
CVE-2014-5350 |
22 |
|
Dir. Trav. |
2014-08-19 |
2014-08-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server. |
40973 |
CVE-2014-5349 |
119 |
1
|
DoS Overflow |
2014-08-19 |
2014-08-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Stack-based buffer overflow in Baidu Spark Browser 26.5.9999.3511 allows remote attackers to cause a denial of service (application crash) via nested calls to the window.print JavaScript function. |
40974 |
CVE-2014-5348 |
79 |
|
XSS |
2014-08-19 |
2014-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in apps/zxtm/locallog.cgi in Riverbed Stingray (aka SteelApp) Traffic Manager Virtual Appliance 9.6 patchlevel 9620140312 allows remote attackers to inject arbitrary web script or HTML via the logfile parameter. |
40975 |
CVE-2014-5347 |
352 |
1
|
XSS CSRF |
2014-08-19 |
2017-09-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php. |
40976 |
CVE-2014-5346 |
352 |
|
CSRF |
2014-08-19 |
2014-08-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin 2.77 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) activate or (2) deactivate the plugin via the active parameter to wp-admin/edit-comments.php, (3) import comments via an import_comments action, or (4) export comments via an export_comments action to wp-admin/index.php. |
40977 |
CVE-2014-5345 |
79 |
|
XSS |
2014-08-19 |
2014-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in upgrade.php in the Disqus Comment System plugin before 2.76 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter. |
40978 |
CVE-2014-5344 |
79 |
|
XSS |
2014-08-19 |
2014-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Mobiloud (mobiloud-mobile-app-plugin) plugin before 2.3.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information. |
40979 |
CVE-2014-5343 |
79 |
|
XSS |
2014-08-19 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Feng Office allows remote attackers to inject arbitrary web script or HTML via a client Name field. |
40980 |
CVE-2014-5341 |
200 |
|
+Info |
2015-02-04 |
2015-02-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network. |
40981 |
CVE-2014-5339 |
|
|
|
2014-09-02 |
2018-10-09 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allows remote authenticated users to write check_mk config files (.mk files) to arbitrary locations via vectors related to row selections. |
40982 |
CVE-2014-5338 |
79 |
|
XSS |
2014-08-22 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the multisite component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) render_status_icons function in htmllib.py or (2) ajax_action function in actions.py. |
40983 |
CVE-2014-5337 |
264 |
|
+Info |
2014-08-29 |
2018-11-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not properly restrict access to password protected posts, which allows remote attackers to obtain sensitive information via an exportarticles action to export/content.php. |
40984 |
CVE-2014-5336 |
20 |
|
DoS |
2014-08-26 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) is enabled and custom error messages are set, allows remote attackers to cause a denial of service (file descriptor consumption) via an HTTP request that triggers an error message. |
40985 |
CVE-2014-5335 |
352 |
|
CSRF |
2014-08-25 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in innovaphone PBX 10.00 sr11 and earlier allow remote attackers to hijack the authentication of administrators for requests that modify configurations or user accounts, as demonstrated by (1) changing the administrator password via a crafted request to CMD0/mod_cmd.xml or (2) adding a new SIP user via a crafted request to PBX0/ADMIN/mod_cmd_login.xml. |
40986 |
CVE-2014-5333 |
352 |
|
+Info CSRF |
2014-08-19 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671. |
40987 |
CVE-2014-5332 |
362 |
|
+Priv |
2015-02-06 |
2016-09-19 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox. |
40988 |
CVE-2014-5331 |
79 |
|
XSS |
2014-10-18 |
2015-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Aflax allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
40989 |
CVE-2014-5330 |
79 |
|
XSS |
2014-10-18 |
2015-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in BirdBlog allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
40990 |
CVE-2014-5328 |
399 |
|
DoS Overflow |
2014-10-11 |
2014-10-15 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long parameter in an API service request message. |
40991 |
CVE-2014-5327 |
399 |
|
DoS Overflow |
2014-10-11 |
2014-10-15 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long URI. |
40992 |
CVE-2014-5326 |
79 |
|
XSS |
2014-11-23 |
2014-11-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
40993 |
CVE-2014-5325 |
200 |
|
+Info |
2014-11-23 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
40994 |
CVE-2014-5324 |
94 |
|
Exec Code |
2014-09-26 |
2014-09-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in the N-Media file uploader plugin before 3.4 for WordPress allows remote authenticated users to execute arbitrary PHP code by leveraging Author privileges to store a file. |
40995 |
CVE-2014-5323 |
310 |
|
+Info |
2014-09-23 |
2014-10-04 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
The Yuko Yuko (aka jp.co.yukoyuko.android.yukoyuko_android) application 1.0.5 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
40996 |
CVE-2014-5322 |
79 |
|
XSS |
2014-09-21 |
2015-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640. |
40997 |
CVE-2014-5321 |
310 |
|
+Info |
2014-09-21 |
2014-09-22 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319. |
40998 |
CVE-2014-5320 |
200 |
|
+Info |
2014-09-21 |
2014-09-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application. |
40999 |
CVE-2014-5319 |
22 |
|
Dir. Trav. |
2014-09-26 |
2015-07-29 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Directory traversal vulnerability in the S-Link SLFileManager application 1.2.5 and earlier for Android allows remote attackers to write to files via unspecified vectors. |
41000 |
CVE-2014-5318 |
264 |
|
Bypass |
2014-09-26 |
2017-01-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
The jigbrowser+ application 1.8.1 and earlier for iOS allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code. |