# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
42951 |
CVE-2014-1879 |
79 |
|
XSS |
2014-02-20 |
2015-08-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action. |
42952 |
CVE-2014-1878 |
119 |
|
DoS Overflow |
2014-02-28 |
2018-12-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. |
42953 |
CVE-2014-1877 |
79 |
|
XSS |
2014-03-13 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Phone, (2) Street, (3) Address line, (4) Zip code, or (5) City field to main/auth/profile.php; (6) Subject field to main/social/groups.php; or (7) Message body field to main/messages/view_message.php. |
42954 |
CVE-2014-1876 |
59 |
|
|
2014-02-10 |
2018-01-04 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, 7, and 8; Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 does not securely create temporary files when a log file cannot be opened, which allows local users to overwrite arbitrary files via a symlink attack on /tmp/unpack.log. |
42955 |
CVE-2014-1875 |
59 |
|
|
2014-10-06 |
2017-08-28 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
The Capture::Tiny module before 0.24 for Perl allows local users to write to arbitrary files via a symlink attack on a temporary file. |
42956 |
CVE-2014-1874 |
20 |
|
DoS |
2014-02-28 |
2015-10-13 |
4.4 |
None |
Local |
Medium |
Single system |
None |
None |
Complete |
The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context. |
42957 |
CVE-2014-1870 |
|
|
|
2014-02-06 |
2014-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 19 on Mac OS X allows user-assisted remote attackers to spoof the address bar via vectors involving a drag-and-drop operation. |
42958 |
CVE-2014-1869 |
79 |
|
XSS |
2014-02-07 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF query parameters (aka loaderInfo.parameters). |
42959 |
CVE-2014-1868 |
|
|
DoS |
2014-10-06 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when using XMLRepresentation or XML serializers, allows attackers to cause a denial of service via an XML Entity Expansion (XEE) attack. |
42960 |
CVE-2014-1859 |
59 |
|
|
2018-01-08 |
2019-04-22 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file. |
42961 |
CVE-2014-1858 |
20 |
|
|
2018-01-08 |
2018-01-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
__init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file. |
42962 |
CVE-2014-1855 |
79 |
|
XSS |
2014-05-20 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Seo Panel before 3.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) capcheck parameter to directories.php or (2) keyword parameter to proxy.php. |
42963 |
CVE-2014-1846 |
264 |
|
+Priv |
2018-04-27 |
2018-06-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Enlightenment before 0.17.6 might allow local users to gain privileges via vectors involving the gdb method. |
42964 |
CVE-2014-1845 |
264 |
|
+Priv |
2018-04-27 |
2018-06-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
An unspecified setuid root helper in Enlightenment before 0.17.6 allows local users to gain privileges by leveraging failure to properly sanitize the environment. |
42965 |
CVE-2014-1843 |
22 |
1
|
Dir. Trav. +Info |
2014-04-29 |
2015-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to obtain the property information of an arbitrary home folder via a Properties action with a .. (dot dot) in the src parameter. |
42966 |
CVE-2014-1842 |
22 |
1
|
Dir. Trav. |
2014-04-29 |
2015-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to list all usernames via a Go action with a .. (dot dot) in the search-bar value. |
42967 |
CVE-2014-1841 |
22 |
1
|
Dir. Trav. |
2014-04-29 |
2015-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to copy an arbitrary user's home folder via a Move action with a .. (dot dot) in the src parameter. |
42968 |
CVE-2014-1840 |
79 |
|
XSS |
2014-03-03 |
2014-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message. |
42969 |
CVE-2014-1839 |
|
|
|
2014-03-11 |
2018-10-30 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file. |
42970 |
CVE-2014-1838 |
59 |
|
|
2014-03-11 |
2018-10-30 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf. |
42971 |
CVE-2014-1837 |
79 |
|
XSS |
2014-01-30 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the StackIdeas Komento (com_komento) component before 1.7.4 for Joomla! allows remote attackers to inject arbitrary web script or HTML via vectors related to "checking new comments." |
42972 |
CVE-2014-1836 |
22 |
|
Dir. Trav. |
2015-07-01 |
2015-07-02 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action. |
42973 |
CVE-2014-1835 |
255 |
|
|
2018-02-02 |
2018-02-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to steal the login credentials by watching the process table. |
42974 |
CVE-2014-1834 |
77 |
|
|
2018-02-02 |
2018-02-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password. |
42975 |
CVE-2014-1833 |
22 |
|
Dir. Trav. |
2014-02-05 |
2018-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Directory traversal vulnerability in uupdate in devscripts 2.14.1 allows remote attackers to modify arbitrary files via a crafted .orig.tar file, related to a symlink. |
42976 |
CVE-2014-1832 |
|
|
|
2015-02-19 |
2015-02-20 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831. |
42977 |
CVE-2014-1831 |
|
|
|
2015-02-19 |
2015-02-20 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. |
42978 |
CVE-2014-1830 |
200 |
|
+Info |
2014-10-15 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request. |
42979 |
CVE-2014-1829 |
200 |
|
+Info |
2014-10-15 |
2016-08-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request. |
42980 |
CVE-2014-1828 |
20 |
|
DoS |
2014-03-26 |
2014-03-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
The iThoughts web server in the iThoughtsHD app 4.19 for iOS on iPad devices allows remote attackers to cause a denial of service (disk consumption) by uploading a large file. |
42981 |
CVE-2014-1827 |
20 |
|
|
2014-03-26 |
2014-03-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The iThoughtsHD app 4.19 for iOS on iPad devices, when the WiFi Transfer feature is used, allows remote attackers to upload arbitrary files by placing a %00 sequence after a dangerous extension, as demonstrated by a .html%00.txt file. |
42982 |
CVE-2014-1826 |
79 |
|
XSS |
2014-03-26 |
2014-03-26 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the iThoughtsHD app 4.19 for iOS on iPad devices, when the WiFi Transfer feature is used, allows remote attackers to inject arbitrary web script or HTML via a crafted map name. |
42983 |
CVE-2014-1823 |
79 |
|
XSS |
2014-06-11 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Web Components Server in Microsoft Lync Server 2010 and 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing a valid meeting ID, aka "Lync Server Content Sanitization Vulnerability." |
42984 |
CVE-2014-1820 |
79 |
|
XSS |
2014-08-12 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Master Data Services (MDS) in Microsoft SQL Server 2012 SP1 and 2014 on 64-bit platforms allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "SQL Master Data Services XSS Vulnerability." |
42985 |
CVE-2014-1816 |
264 |
|
|
2014-06-11 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly restrict the information transmitted by Internet Explorer during a download action, which allows remote attackers to discover (1) full pathnames on the client system and (2) local usernames embedded in these pathnames via a crafted web site, aka "MSXML Entity URI Vulnerability." |
42986 |
CVE-2014-1811 |
399 |
|
DoS |
2014-06-11 |
2019-05-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The TCP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to cause a denial of service (non-paged pool memory consumption and system hang) via malformed data in the Options field of a TCP header, aka "TCP Denial of Service Vulnerability." |
42987 |
CVE-2014-1809 |
264 |
|
Bypass |
2014-05-14 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The MSCOMCTL library in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013 Gold, SP1, RT, and RT SP1 makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, as exploited in the wild in May 2014, aka "MSCOMCTL ASLR Vulnerability." |
42988 |
CVE-2014-1808 |
200 |
|
+Info |
2014-05-14 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Microsoft Office 2013 Gold, SP1, RT, and RT SP1 allows remote attackers to obtain sensitive token information via a web site that sends a crafted response during opening of an Office document, aka "Token Reuse Vulnerability." |
42989 |
CVE-2014-1778 |
264 |
|
|
2014-06-11 |
2018-10-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary web script with increased privileges via unspecified vectors, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-2777. |
42990 |
CVE-2014-1777 |
200 |
|
+Info |
2014-06-11 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Microsoft Internet Explorer 10 and 11 allows remote attackers to read local files on the client via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." |
42991 |
CVE-2014-1771 |
310 |
|
+Info |
2014-06-11 |
2018-10-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
SChannel in Microsoft Internet Explorer 6 through 11 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack," aka "TLS Server Certificate Renegotiation Vulnerability." |
42992 |
CVE-2014-1754 |
79 |
|
XSS |
2014-05-14 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2013 Gold and SP1, SharePoint Foundation 2013 Gold and SP1, Office Web Apps Server 2013 Gold and SP1, and SharePoint Server 2013 Client Components SDK allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "SharePoint XSS Vulnerability." |
42993 |
CVE-2014-1750 |
|
|
XSS |
2015-07-01 |
2016-05-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as a cross-site scripting (XSS) vulnerability, but this may be inaccurate. |
42994 |
CVE-2014-1748 |
|
|
|
2014-05-21 |
2017-12-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame. |
42995 |
CVE-2014-1747 |
79 |
|
XSS |
2014-05-21 |
2017-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to inject arbitrary web script or HTML via crafted MHTML content, aka "Universal XSS (UXSS)." |
42996 |
CVE-2014-1746 |
119 |
|
DoS Overflow |
2014-05-21 |
2017-12-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The InMemoryUrlProtocol::Read function in media/filters/in_memory_url_protocol.cc in Google Chrome before 35.0.1916.114 relies on an insufficiently large integer data type, which allows remote attackers to cause a denial of service (out-of-bounds read) via vectors that trigger use of a large buffer. |
42997 |
CVE-2014-1739 |
200 |
|
+Info |
2014-06-23 |
2017-12-20 |
1.7 |
None |
Local |
Low |
Single system |
Partial |
None |
None |
The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. |
42998 |
CVE-2014-1738 |
264 |
|
+Info |
2014-05-11 |
2017-12-20 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. |
42999 |
CVE-2014-1726 |
|
|
Bypass |
2014-04-09 |
2017-01-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The drag implementation in Google Chrome before 34.0.1847.116 allows user-assisted remote attackers to bypass the Same Origin Policy and forge local pathnames by leveraging renderer access. |
43000 |
CVE-2014-1725 |
20 |
|
DoS |
2014-04-09 |
2017-01-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The base64DecodeInternal function in wtf/text/Base64.cpp in Blink, as used in Google Chrome before 34.0.1847.116, does not properly handle string data composed exclusively of whitespace characters, which allows remote attackers to cause a denial of service (out-of-bounds read) via a window.atob method call. |